• 创建脚本 create_k8s_account.sh

使用以下脚本可以创建一个只对某个命令空间可以执行命令的kubeconfig文件,具体所需权限可以自己调整yaml文件内容

#!/bin/bash

Usage() {
	echo "$0 <user> <namespace> <cluster_name> <master_server> <exprie_days> <org>"
	exit 1
}

if [[ $# -ne 6 ]];then
	Usage
fi
user=$1
shift
namespace=$1
shift
cluster_name=$1
shift
master_server=$1
shift
expire_days=$1
shift
organization=$1
shift

mkdir -p /etc/kubernetes/pki/users
cd /etc/kubernetes/pki/users

echo '[ req ]
default_bits = 2048
default_md = sha256
distinguished_name = req_distinguished_name

[req_distinguished_name]

[ v3_ca ]
basicConstraints = critical, CA:TRUE
keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign

[ v3_req_server ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

[ v3_req_client ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth' >openssl.cnf

openssl genrsa -out $user.key 2048
openssl req -new -key $user.key -subj "/CN=$user/O=$organization" -out $user.csr
openssl x509 -req -in $user.csr -CA ../ca.crt -CAkey ../ca.key -CAcreateserial -extensions v3_req_client -extfile openssl.cnf -out $user.crt -days $expire_days

export KUBE_APISERVER="$master_server"

kubectl config set-cluster $cluster_name \
  --certificate-authority=../ca.crt \
  --server=${KUBE_APISERVER} \
  --embed-certs=true \
  --kubeconfig=$user

kubectl config set-credentials $user \
  --client-certificate=$user.crt \
  --client-key=$user.key \
  --embed-certs=true \
  --kubeconfig=$user

kubectl config set-context $cluster_name \
  --cluster=$cluster_name \
  --namespace=$namespace \
  --user=$user \
  --kubeconfig=$user

kubectl config use-context $cluster_name --kubeconfig=$user

mkdir -p /etc/kubernetes/pki/grant
cd /etc/kubernetes/pki/grant

echo "---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: $user
  namespace: $namespace
  labels:
    rbac.$organization/name: $user
rules:
  - apiGroups:
    - \"\"
    resources:
    - pods
    - pods/attach
    - pods/exec
    - pods/log
    - pods/status
    - configmaps
    - services
    - replicationcontrollers
    verbs:
    - get
    - list
    - watch
    - create
    - describe
    - delete
    - patch
  - apiGroups:
    - \"\"
    resources:
    - nodes
    verbs:
    - get
    - list
  - apiGroups:
    - batch
    resources:
    - jobs
    - cronjobs
    verbs:
    - get
    - list
  - apiGroups:
    - autoscaling
    resources:
    - horizontalpodautoscalers
    verbs:
    - get
    - list
  - apiGroups:
    - extensions
    - apps
    resources:
    - deployments
    - deployments/status
    - replicasets
    - replicasets/status
    - statefulsets
    - statefulsets/status
    - daemonsets
    - daemonsets/status
    - ingresses
    - ingresses/status
    verbs:
    - get
    - list
    - watch
    - describe
    - create
    - update
    - delete
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: $user
  namespace: $namespace
  labels:
    rbac.$organization/name: $user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: $user
subjects:
  - kind: User
    name: $user
    apiGroup: rbac.authorization.k8s.io
    namespace: $namespace
  - kind: ServiceAccount
    name: $user
    namespace: $namespace
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: $user
  namespace: $namespace" > k8s_create_kubeconfig_$user.yaml

如果是用kubeadm创建的集群,使用以下命令,创建一个用户名为test-viewer 的,有效期为一年的,apiserver地址是https://k8sapi:6443的kubeconfig 文件

cd /etc/kubernetes/pki/grant
./create_k8s_account.sh test-viewer test-namespace kubernetes https://k8sapi:6443 365 test
kubectl apply -f k8s_create_kubeconfig_test-viewer.yaml
Logo

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐