生成特定权限和配额的kubeconfig

1. 步骤

注：所有步骤的一键生成脚本可以在generate_kubeconfig.sh下载。

找到一台可以访问集群apiserver并且对集群有admin操作权限的机器，以下的操作是直接在master节点上进行的。

创建namespace，并在该namespace时创建一个service account

# kubectl create namespace test-user-ns
namespace/test-user-ns created
# cat service_account.yaml 
apiVersion: v1
kind: ServiceAccount
metadata:
  name: test-user
# kubectl create -f ./service_account.yaml -n test-user-ns
serviceaccount/test-user created

获取该service account对应的secret

# kubectl describe serviceAccounts test-user -n test-user-ns
Name:                test-user
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   test-user-token-5q46v
Tokens:              test-user-token-5q46v
Events:              <none>

获取secret对应的token

# kubectl describe secret test-user-token-5q46v -n test-user-ns

获取集群信息，并存到cluster-cert.txt文件里。
```
# kubectl config view --flatten --minify > cluster-cert.txt
```

用以上信息按照下面的格式生成kubeconfig

apiVersion: v1
kind: Config
users:
- name: test-user
  user:
    token: {TOKEN content of the service account}  
clusters:
- cluster:
    certificate-authority-data: {certificate-authority-data from cluster-cert.txt}
    server: https://{YOUR_SERVER_IP}:6443
  name: {YOUR_CLUSTER_NAME}
contexts:
- context:
    cluster: {YOUR_CLUSTER_NAME}
    user: test-user
  name: test-user-context
current-context: test-user-context

权限控制

创建一个新的namepsace和role，并通过rbac控制上面生成的service account只能访问该namespace里的资源。

# cat role.yaml 
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: test-user-role
  namespace: test-user-ns # Should be namespace you are granting access to
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: test-user-rolebinding
  namespace: test-user-ns # Should be namespace you are granting access to
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: test-user-role # Should match name of Role
subjects:
- namespace: test-user-ns
  kind: ServiceAccount
  name: test-user # Should match service account name, above
# kubectl create -f ./role.yaml 
role.rbac.authorization.k8s.io/test-user-role created
rolebinding.rbac.authorization.k8s.io/test-user-rolebinding created

为新建的namespace设置quota

# cat quota.yaml 
apiVersion: v1
kind: List
items:
- apiVersion: v1
  kind: ResourceQuota
  metadata:
    name: quota
  spec:
    hard:
      cpu: "20"    # CPU
      memory: 10Gi  # 内存
      pods: "50"  # pod数
# kubectl create -f ./quota.yaml -n test-user-ns
resourcequota/quota created

2. 参考资料

Creating a kubeconfig file for a self-hosted Kubernetes cluster: http://docs.shippable.com/deploy/tutorial/create-kubeconfig-for-self-hosted-kubernetes-cluster/
Kubernetes: Creating Service Accounts and Kubeconfigs: https://docs.armory.io/spinnaker-install-admin-guides/manual-service-account/
Resource Quotas: https://kubernetes.io/docs/concepts/policy/resource-quotas/

Previous生产力小工具 Next社区贡献

Last updated 4 years ago

Was this helpful?