zhangguanzhang's Blog

生成kubeconfig常规的两种方法

字数统计: 887阅读时长: 4 min
2018/10/27 Share

方式

总得来讲有两种创建kubeconfig,证书的话市面上很多教程,要注意下面事项为以下:

当然也可以从serviceaccount的token扣成kubeconfig,这个市面上也没看到很多人用,还是从老外的脚本上学到的思路

sa关联secret的token制作kubeconfig

这里给研发只读的权限,实际上自带的有个view的clusterrole,可以按照它这个clusterrole去增减资源对象或者权限创建clusterrole,这里我直接使用自带的这个clusterrole

1
kubectl get clusterrole view -o yaml

制作

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
KUBE_CONFIG="develoop.kubeconfig"

# 取kubectl的kubeconfig里的apiserver地址
KUBE_APISERVER=`kubectl config view --output=jsonpath='{.clusters[].cluster.server}' | head -n1 `

CLUSTER_NAME=`kubectl config view -o jsonpath='{.clusters[0].name}'`

kubectl get clusterrolebinding develoop &>/dev/null || \
cat << EOF | kubectl apply -f -

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: develoop
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view # 直接使用view这个clusterrole
subjects:
- kind: ServiceAccount
name: develoop
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: develoop # sa必须创建
namespace: kube-system
EOF

while [ -z "$SECRET" ];do
SECRET=$(kubectl -n kube-system get sa/develoop --output=jsonpath='{.secrets[0].name}')
sleep 1
done
JWT_TOKEN=$(kubectl -n kube-system get secret/$SECRET --output=jsonpath='{.data.token}' | base64 -d)

kubectl config set-cluster ${CLUSTER_NAME} \
--certificate-authority=/etc/kubernetes/pki/ca.crt \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=/etc/kubernetes/${KUBE_CONFIG}

kubectl config set-context ${CLUSTER_NAME} \
--cluster=${CLUSTER_NAME} \
--user=${CLUSTER_NAME} \
--kubeconfig=/etc/kubernetes/${KUBE_CONFIG}

kubectl config set-credentials ${CLUSTER_NAME} --token=${JWT_TOKEN} --kubeconfig=/etc/kubernetes/${KUBE_CONFIG}

kubectl config use-context ${CLUSTER_NAME} --kubeconfig=/etc/kubernetes/${KUBE_CONFIG}

kubectl config view --kubeconfig=/etc/kubernetes/${KUBE_CONFIG}

测试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$ kubectl -n kube-system get po --kubeconfig=/etc/kubernetes/develoop.kubeconfig
NAME READY STATUS RESTARTS AGE
coredns-7b47bbb54c-gdz7c 1/1 Running 1 90d
coredns-7b47bbb54c-r5ptc 1/1 Running 0 88d
metrics-server-cd9689bdc-fsqtx 1/1 Running 0 88d
$ kubectl -n kube-system scale deploy coredns --replicas=3 --kubeconfig=/etc/kubernetes/develoop.kubeconfig
Error from server (Forbidden): deployments.apps "coredns" is forbidden: User "system:serviceaccount:kube-system:develoop" cannot patch resource "deployments/scale" in API group "apps" in the namespace "kube-system"
$ kubectl -n kube-system logs coredns-7b47bbb54c-gdz7c --kubeconfig=/etc/kubernetes/develoop.kubeconfig
service.consul.:53
.:53
[INFO] plugin/reload: Running configuration MD5 = cf9502cbc94ff538cdc3c08836f7b7d2
______ ____ _ _______
/ ____/___ ________ / __ \/ | / / ___/ ~ CoreDNS-1.6.3
/ / / __ \/ ___/ _ \/ / / / |/ /\__ \ ~ linux/amd64, go1.12.9, 37b9550
/ /___/ /_/ / / / __/ /_/ / /| /___/ /
\____/\____/_/ \___/_____/_/ |_//____/
[ERROR] plugin/errors: 2 w-3306-mysql.service.consul. A: read udp 10.244.2.31:34409->100.66.0.6:8600: i/o timeout
[INFO] Reloading
[ERROR] Restart failed: plugin/cache: cache TTL can not be zero or negative: 0
[ERROR] plugin/reload: Corefile changed but reload failed: starting with listener file descriptors: plugin/cache: cache TTL can not be zero or negative: 0
[INFO] Reloading
[INFO] plugin/reload: Running configuration MD5 = 67edd8faa109e8c495e8c8835472b3dd
[INFO] Reloading complete

可以看到是无法对pod状态有影响的

参考

CATALOG
  1. 1. 方式
  2. 2. sa关联secret的token制作kubeconfig
  3. 3. 参考