Kubernetes Notes
Search…
⌃K

生成特定权限和配额的kubeconfig

1. 步骤

注:所有步骤的一键生成脚本可以在generate_kubeconfig.sh下载
  • 找到一台可以访问集群apiserver并且对集群有admin操作权限的机器,以下的操作是直接在master节点上进行的。
  • 创建namespace,并在该namespace时创建一个service account
    # kubectl create namespace test-user-ns
    namespace/test-user-ns created
    # cat service_account.yaml
    apiVersion: v1
    kind: ServiceAccount
    metadata:
    name: test-user
    # kubectl create -f ./service_account.yaml -n test-user-ns
    serviceaccount/test-user created
  • 获取该service account对应的secret
    # kubectl describe serviceAccounts test-user -n test-user-ns
    Name: test-user
    Namespace: default
    Labels: <none>
    Annotations: <none>
    Image pull secrets: <none>
    Mountable secrets: test-user-token-5q46v
    Tokens: test-user-token-5q46v
    Events: <none>
  • 获取secret对应的token
    # kubectl describe secret test-user-token-5q46v -n test-user-ns
  • 获取集群信息,并存到cluster-cert.txt文件里。
    # kubectl config view --flatten --minify > cluster-cert.txt
  • 用以上信息按照下面的格式生成kubeconfig
    apiVersion: v1
    kind: Config
    users:
    - name: test-user
    user:
    token: {TOKEN content of the service account}
    clusters:
    - cluster:
    certificate-authority-data: {certificate-authority-data from cluster-cert.txt}
    server: https://{YOUR_SERVER_IP}:6443
    name: {YOUR_CLUSTER_NAME}
    contexts:
    - context:
    cluster: {YOUR_CLUSTER_NAME}
    user: test-user
    name: test-user-context
    current-context: test-user-context
  • 权限控制
    创建一个新的namepsace和role,并通过rbac控制上面生成的service account只能访问该namespace里的资源。
    # cat role.yaml
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
    name: test-user-role
    namespace: test-user-ns # Should be namespace you are granting access to
    rules:
    - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
    name: test-user-rolebinding
    namespace: test-user-ns # Should be namespace you are granting access to
    roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: Role
    name: test-user-role # Should match name of Role
    subjects:
    - namespace: test-user-ns
    kind: ServiceAccount
    name: test-user # Should match service account name, above
    # kubectl create -f ./role.yaml
    role.rbac.authorization.k8s.io/test-user-role created
    rolebinding.rbac.authorization.k8s.io/test-user-rolebinding created
  • 为新建的namespace设置quota
    # cat quota.yaml
    apiVersion: v1
    kind: List
    items:
    - apiVersion: v1
    kind: ResourceQuota
    metadata:
    name: quota
    spec:
    hard:
    cpu: "20" # CPU
    memory: 10Gi # 内存
    pods: "50" # pod数
    # kubectl create -f ./quota.yaml -n test-user-ns
    resourcequota/quota created

2. 参考资料