zhangguanzhang's Blog

生成kubeconfig常规的两种方法

kubeconfig
字数统计: 1k阅读时长: 5 min
2018/10/27

方式

总得来讲有两种创建 kubeconfig,证书的话市面上很多教程,要注意下面事项为以下:

当然也可以从 serviceaccount 的 token 扣成 kubeconfig,这个市面上也没看到很多人用,还是从老外的脚本上学到的思路

sa关联secret的token制作kubeconfig

这里给研发只读的权限,实际上自带的有个 view 的 clusterrole ,可以按照它这个 clusterrole 去增减资源对象或者权限创建 clusterrole ,这里我直接使用自带的这个 clusterrole

1
kubectl get clusterrole view -o yaml

制作 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

kubectl get clusterrolebinding develoop &>/dev/null ||  \
 cat << EOF | kubectl apply -f -

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: develoop
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view  # 直接使用view这个clusterrole
subjects:
- kind: ServiceAccount
  name: develoop
  namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: develoop   # sa必须创建
  namespace: kube-system
EOF

KUBE_CONFIG="develoop.kubeconfig"

# 取kubectl的kubeconfig里的apiserver地址
KUBE_APISERVER=`kubectl config view  --output=jsonpath='{.clusters[].cluster.server}' | head -n1 `

CLUSTER_NAME=`kubectl config view -o jsonpath='{.clusters[0].name}'`

NS=kube-system

while [ -z "$SECRET" ];do
 SECRET=$(kubectl -n $NS get sa/develoop   --output=jsonpath='{.secrets[0].name}')
  sleep 1
done
JWT_TOKEN=$(kubectl -n $NS get secret/$SECRET  --output=jsonpath='{.data.token}' | base64 -d)

# 有些人后缀是 ca.pem
CA=/etc/kubernetes/pki/ca.crt

kubectl config set-cluster ${CLUSTER_NAME} \
  --certificate-authority=${CA} \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=/etc/kubernetes/${KUBE_CONFIG}

kubectl config set-context ${CLUSTER_NAME} \
  --cluster=${CLUSTER_NAME} \
  --user=${CLUSTER_NAME} \
  --kubeconfig=/etc/kubernetes/${KUBE_CONFIG}

kubectl config set-credentials ${CLUSTER_NAME} --token=${JWT_TOKEN} --kubeconfig=/etc/kubernetes/${KUBE_CONFIG}

kubectl config use-context ${CLUSTER_NAME} --kubeconfig=/etc/kubernetes/${KUBE_CONFIG}

kubectl config view --kubeconfig=/etc/kubernetes/${KUBE_CONFIG}

测试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$ kubectl -n kube-system get po --kubeconfig=/etc/kubernetes/develoop.kubeconfig
NAME                             READY   STATUS    RESTARTS   AGE
coredns-7b47bbb54c-gdz7c         1/1     Running   1          90d
coredns-7b47bbb54c-r5ptc         1/1     Running   0          88d
metrics-server-cd9689bdc-fsqtx   1/1     Running   0          88d
$ kubectl -n kube-system  scale deploy coredns --replicas=3 --kubeconfig=/etc/kubernetes/develoop.kubeconfig
Error from server (Forbidden): deployments.apps "coredns" is forbidden: User "system:serviceaccount:kube-system:develoop" cannot patch resource "deployments/scale" in API group "apps" in the namespace "kube-system"
$ kubectl -n kube-system  logs coredns-7b47bbb54c-gdz7c --kubeconfig=/etc/kubernetes/develoop.kubeconfig
service.consul.:53
.:53
[INFO] plugin/reload: Running configuration MD5 = cf9502cbc94ff538cdc3c08836f7b7d2
   ______                ____  _   _______
  / ____/___  ________  / __ \/ | / / ___/	~ CoreDNS-1.6.3
 / /   / __ \/ ___/ _ \/ / / /  |/ /\__ \ 	~ linux/amd64, go1.12.9, 37b9550
/ /___/ /_/ / /  /  __/ /_/ / /|  /___/ / 
\____/\____/_/   \___/_____/_/ |_//____/  
[ERROR] plugin/errors: 2 w-3306-mysql.service.consul. A: read udp 10.244.2.31:34409->100.66.0.6:8600: i/o timeout
[INFO] Reloading
[ERROR] Restart failed: plugin/cache: cache TTL can not be zero or negative: 0
[ERROR] plugin/reload: Corefile changed but reload failed: starting with listener file descriptors: plugin/cache: cache TTL can not be zero or negative: 0
[INFO] Reloading
[INFO] plugin/reload: Running configuration MD5 = 67edd8faa109e8c495e8c8835472b3dd
[INFO] Reloading complete

可以看到是无法对 pod 状态有影响的

role 参考

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: develoop
  namespace: xxx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: xxx-ns-developer
  namespace: xxx
rules:
  - apiGroups:
      - "*"
    resources:
      - "secrets"
      - "configmaps"
      - "serviceaccounts"
      - "endpoints"
      - "events"
      - "pods"
      - "pods/log"
      - "pods/portforward"
      - "pods/status"
      - "pods/exec"
      - "podtemplates"
      - "resourcequotas"
      - "limitranges"
      - "services"
      - "replicationcontrollers"
      - "daemonsets"
      - "deployments"
      - "deployments/scale"
      - "replicasets"
      - "statefulsets"
      - "cronjobs"
      - "jobs"
      - "persistentvolumeclaims"
      - "ingresses"
      - "networkpolicies"
      - "poddisruptionbudgets"
    verbs:
      - "*"
  # 下面的似乎没多大用,毕竟似乎不可能创建出比自身权限更大的role
  - apiGroups:
      - rbac.authorization.k8s.io
    resources:
      - rolebindings
      - roles
    verbs:
      - "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: roleBinding-for-xxx
  namespace: xxx
subjects:
# 你可以指定不止一个“subject(主体)”
- kind: ServiceAccount
  name: develoop # "name" 是区分大小写的
roleRef:
  # "roleRef" 指定与某 Role 或 ClusterRole 的绑定关系
  kind: Role # 此字段必须是 Role 或 ClusterRole
  name: xxx-ns-developer     # 此字段必须与你要绑定的 Role 或 ClusterRole 的名称匹配
  apiGroup: rbac.authorization.k8s.io

参考

原文作者:Zhangguanzhang

原文链接:http://zhangguanzhang.github.io/2018/10/27/create-kubeconfig/

发表日期:October 27th 2018, 7:36:53 pm

更新日期:October 27th 2018, 7:36:53 pm

版权声明:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. 方式
  2. 2. sa关联secret的token制作kubeconfig
  3. 3. role 参考
  4. 4. 参考
Total : 186
2024
2023
2022
2021
2020
2019
2018
2017
2016
linux 微信 diy 8266 总结 ipmi CLP k8s Mismatch Altium Designer ansible consul docker lnmp 安卓 Linux kernel prometheus exporter boot grub cad tcp golang centos6 chromedp chrony kubernetes cni-plugins mips64le kubeconfig swap dlv adguardhome dns Dockerfile e2fsck fsck keepavlied ecs xmrig etcd fio flannel ftp go mod go gobot esp8266 hello world host-gw mqtt 原创 jira confluence kube-controller-manager java springboot vip keepalived ConfigMap PodAffinity kylin arm64 Kylin audit fs nginx microsoft graph onedrive nodeport usb-net overlay kernal preseed Prometheus openstack cloud-init python containerd keepalive shell bash skopeo ssh kubelet systemd dockerhub gcr.io api ubuntu18 initrd tftp uos x86 openwrt zabbix zombie 正则 awk EmuELEC ingress N1 cobra hang cifs http lvs ipvsadm kube-proxy 63s timeout lamp nfc pm3 coredns openshift ocp squashfs timezone rpm rpmbuild segfault suse wireguard raid kubeadm operator exsi redhat8.4 vxlan veth panic supervisor pyinstaller ttf woff hostname qemu binfmt_misc loongarch64 externalIP cgo nfs ipset proxmox non-root containers vmware hung apparmor serviceAccountToken gpu nvidia cri-dockerd pprof trivy redis /etc/resolv.conf hostPort hotplug android headscale derper iptables
日志 心得 闲搞 ipmi kubernetes ansible kubelet Linux 心得 prometheus boot Auto cad boot golang kubeconfig grub linux centos6 容器 docker docker 容器 openstack boot vsftp go version panic gobot 闲聊 iptables admission kube-controller-manager keepalived k8s Prometheus Job k8s lua microsoft openwrt preseed Prometheus proxmox 总结 CI Kylin ubuntu18 pxe uos graph 运维 zombie 技巧 travis docker onedrive kickstart consul fstab http vxlan coredns node-cache golang kmem suse wireguard raid kubeadm LVM kickstart prometheus raid