创建K8s只读账户kube Config

创建k8s只读账户kube config

部分临时场景想要给到开发、或者其他人员k8s集群的只读权限方便查看部分资源或日志,此时可以在k8s master机器上新建用户绑定k8s新kube config(config 绑定k8s集群角色、上下文) 即可实现、满足临时需求。

cfssl工具安装

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

mkdir /root/kube-reader
cd /root/kube-reader


wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
chmod +x cfssl_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl

wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x cfssljson_linux-amd64
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson

wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl-certinfo_linux-amd64
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo

证书配置生成

  • copy ca
1
2
3
4
5

cp /etc/kubernetes/pki/ca.crt /root/kube-reader
cp /etc/kubernetes/pki/ca.key /root/kube-reader
cp /etc/kubernetes/pki/admin.conf /root/kube-reader

  • devuser-csr.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

{
"CN": "devuser",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}

  • ca-config.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}

  • 签发证书
1
2
3

cfssl gencert -ca=ca.crt -ca-key=ca.key -config=ca-config.json -profile=kubernetes devuser-csr.json | cfssljson -bare devuser

  • 效验确认
1
2
3

cfssl-certinfo -cert devuser.pem

  • 生成kube config文件

    devuser.kubeconfig:成的可读kubeconfig配置文件
    k8s-api-server: 参见/root/.kube/conf,
    保持和kubernetes一致的context(可参见/etc/kubernetes/kubelet.conf中context)
    cluster名对应的一致即可,也可参见/etc/kubernetes/kubelet.conf

1
2
3
4
5
6
7

kubectl <span class="string">config set-cluster kubernetes \
--certificate-authority=ca.crt \
--embed-certs=true \
--server=https://k8s-api-server:6443 \
--kubeconfig=devuser.kubeconfig</span>

配置k8s集群角色绑定

  • 认证设置
1
2
3
4
5
6
7

kubectl <span class="string">config set-credentials devuser \
--client-certificate=devuser.pem \
--client-key=devuser-key.pem \
--embed-certs=true \
--kubeconfig=devuser.kubeconfig</span>

  • 上下文设置
1
2
3
4
5
6

kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=devuser \
--kubeconfig=devuser.kubeconfig

  • 设置默认上下文
1
2
3

kubectl config use-context kubernetes --kubeconfig=devuser.kubeconfig

  • 测试get pod
1
2
3
4

kubectl get po --kubeconfig=./devuser.kubeconfig
# 提示没有权限先忽略,后边开始配置集群角色绑定

config集群角色绑定

  • secret readOnly示例配置 cat clusterrole.yaml
1
2
3
4
5
6
7
8
9
10

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secrets","namespaces"]
verbs: ["get", "watch", "list"]

  • 应用配置文件
1
2
3

kubectl apply -f clusterrole.yaml

  • 集群角色绑定
1
2
3

kubectl create clusterrolebinding devuser-secret --clusterrole=secret-reader --user=devuser

  • 效验查看
1
2
3

kubectl get secret --kubeconfig devuser.kubeconfig

    - 获取所有集群资源角色权限 `kubectl get clusterrole view -o yaml` - 给所有资源配置只读 `clusterrole.yaml`
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secrets","namespaces"]
verbs: ["get", "watch", "list"]
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- persistentvolumeclaims/status
- pods
- replicationcontrollers
- replicationcontrollers/scale
- serviceaccounts
- services
- services/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- controllerrevisions
- daemonsets
- daemonsets/status
- deployments
- deployments/scale
- deployments/status
- replicasets
- replicasets/scale
- replicasets/status
- statefulsets
- statefulsets/scale
- statefulsets/status
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
- horizontalpodautoscalers/status
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- cronjobs/status
- jobs
- jobs/status
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- daemonsets/status
- deployments
- deployments/scale
- deployments/status
- ingresses
- ingresses/status
- networkpolicies
- replicasets
- replicasets/scale
- replicasets/status
- replicationcontrollers/scale
verbs:
- get
- list
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
- poddisruptionbudgets/status
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- ingresses/status
- networkpolicies
verbs:
- get
- list
- watch

  • 应用配置kubectl apply -f clusterrole.yaml
  • 再次查看pod无错误权限提示。
1
2
3

kubectl get po --kubeconfig=./devuser.kubeconfig

centos新建用户,并配置绑定默认kubelet config

  • 新建用户
1
2
3
4

adduser devuser
passwd devuser

  • 复制kube目录,并移提供新生产的配置文件
1
2
3
4
5

cp -r ~/.kube/ /home/devuser
chown -R devuser:devuser /home/devuser/.kube/
cp devuser.kubeconfig /home/devuser/.kube/config

  • 之后使用devuser 登录操作kubelet命令就无需再增加--kubeconfig 参数了