创建k8s只读账户kube config
部分临时场景想要给到开发、或者其他人员k8s集群的只读权限方便查看部分资源或日志,此时可以在k8s master机器上新建用户绑定k8s新kube config(config 绑定k8s集群角色、上下文) 即可实现、满足临时需求。
cfssl工具安装
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
| mkdir /root/kube-reader cd /root/kube-reader
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 chmod +x cfssl_linux-amd64 mv cfssl_linux-amd64 /usr/local/bin/cfssl wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 chmod +x cfssljson_linux-amd64 mv cfssljson_linux-amd64 /usr/local/bin/cfssljson wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 chmod +x cfssl-certinfo_linux-amd64 mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
|
证书配置生成
1 2 3 4 5
| cp /etc/kubernetes/pki/ca.crt /root/kube-reader cp /etc/kubernetes/pki/ca.key /root/kube-reader cp /etc/kubernetes/pki/admin.conf /root/kube-reader
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
| { "CN": "devuser", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "System" } ] }
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
| { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "87600h" } } } }
|
1 2 3
| cfssl gencert -ca=ca.crt -ca-key=ca.key -config=ca-config.json -profile=kubernetes devuser-csr.json | cfssljson -bare devuser
|
1 2 3
| cfssl-certinfo -cert devuser.pem
|
- 生成kube config文件
devuser.kubeconfig:成的可读kubeconfig配置文件
k8s-api-server: 参见/root/.kube/conf,
保持和kubernetes一致的context(可参见/etc/kubernetes/kubelet.conf中context)
cluster名对应的一致即可,也可参见/etc/kubernetes/kubelet.conf
1 2 3 4 5 6 7
| kubectl <span class="string">config set-cluster kubernetes \ --certificate-authority=ca.crt \ --embed-certs=true \ --server=https://k8s-api-server:6443 \ --kubeconfig=devuser.kubeconfig</span>
|
配置k8s集群角色绑定
1 2 3 4 5 6 7
| kubectl <span class="string">config set-credentials devuser \ --client-certificate=devuser.pem \ --client-key=devuser-key.pem \ --embed-certs=true \ --kubeconfig=devuser.kubeconfig</span>
|
1 2 3 4 5 6
| kubectl config set-context kubernetes \ --cluster=kubernetes \ --user=devuser \ --kubeconfig=devuser.kubeconfig
|
1 2 3
| kubectl config use-context kubernetes --kubeconfig=devuser.kubeconfig
|
1 2 3 4
| kubectl get po --kubeconfig=./devuser.kubeconfig # 提示没有权限先忽略,后边开始配置集群角色绑定
|
config集群角色绑定
secret
readOnly示例配置 cat clusterrole.yaml
1 2 3 4 5 6 7 8 9 10
| apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: secret-reader rules: - apiGroups: [""] resources: ["secrets","namespaces"] verbs: ["get", "watch", "list"]
|
1 2 3
| kubectl apply -f clusterrole.yaml
|
1 2 3
| kubectl create clusterrolebinding devuser-secret --clusterrole=secret-reader --user=devuser
|
1 2 3
| kubectl get secret --kubeconfig devuser.kubeconfig
|
- 获取所有集群资源角色权限 `kubectl get clusterrole view -o yaml`
- 给所有资源配置只读 `clusterrole.yaml`
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128
| apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: secret-reader rules: - apiGroups: [""] resources: ["secrets","namespaces"] verbs: ["get", "watch", "list"] - apiGroups: - "" resources: - configmaps - endpoints - persistentvolumeclaims - persistentvolumeclaims/status - pods - replicationcontrollers - replicationcontrollers/scale - serviceaccounts - services - services/status verbs: - get - list - watch - apiGroups: - "" resources: - bindings - events - limitranges - namespaces/status - pods/log - pods/status - replicationcontrollers/status - resourcequotas - resourcequotas/status verbs: - get - list - watch - apiGroups: - "" resources: - namespaces verbs: - get - list - watch - apiGroups: - apps resources: - controllerrevisions - daemonsets - daemonsets/status - deployments - deployments/scale - deployments/status - replicasets - replicasets/scale - replicasets/status - statefulsets - statefulsets/scale - statefulsets/status verbs: - get - list - watch - apiGroups: - autoscaling resources: - horizontalpodautoscalers - horizontalpodautoscalers/status verbs: - get - list - watch - apiGroups: - batch resources: - cronjobs - cronjobs/status - jobs - jobs/status verbs: - get - list - watch - apiGroups: - extensions resources: - daemonsets - daemonsets/status - deployments - deployments/scale - deployments/status - ingresses - ingresses/status - networkpolicies - replicasets - replicasets/scale - replicasets/status - replicationcontrollers/scale verbs: - get - list - watch - apiGroups: - policy resources: - poddisruptionbudgets - poddisruptionbudgets/status verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - ingresses - ingresses/status - networkpolicies verbs: - get - list - watch
|
- 应用配置
kubectl apply -f clusterrole.yaml
- 再次查看pod无错误权限提示。
1 2 3
| kubectl get po --kubeconfig=./devuser.kubeconfig
|
centos新建用户,并配置绑定默认kubelet config
1 2 3 4
| adduser devuser passwd devuser
|
1 2 3 4 5
| cp -r ~/.kube/ /home/devuser chown -R devuser:devuser /home/devuser/.kube/ cp devuser.kubeconfig /home/devuser/.kube/config
|
- 之后使用
devuser
登录操作kubelet
命令就无需再增加--kubeconfig
参数了