K8s:根据ServiceAccount生成kube-config文件
在K8s中:根据ServiceAccount服务账户生成kube-config文件
#过程:service account + role + rolebinding + secret-token + kube-config文件
1、创建 :service account + role + rolebinding + secret-token + kube-config文件
####################################################################
### 1、创建一个ServiceAccount
### 2、创建一个ClusterRole、并且集群角色和ServiceAccount绑定
### 3、创建一个Role、进行角色和ServiceAccount绑定
### 4、创建一个secret、授权给ServiceAccount、dashboard登录时候可以使用token认证
### 5、生成kube-config文件。
####################################################################
### /data/ServiceAccount/jigaobo-ns-ServiceAccount-secret_token.yml
####################################################################
apiVersion: v1
kind: Namespace
metadata:
name: jigaobo-ns
####################################################################
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: jigaobo
# replace with namespace where provisioner is deployed
namespace: jigaobo-ns
####################################################################
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: jigaobo-ClusterRole
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "update", "patch"]
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["get", "list", "watch","create","delete"]
####################################################################
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: jigaobo-ClusterRole-Binding
subjects:
- kind: ServiceAccount
name: jigaobo
# replace with namespace where provisioner is deployed
namespace: jigaobo-ns
roleRef:
kind: ClusterRole
name: jigaobo-ClusterRole
apiGroup: rbac.authorization.k8s.io
####################################################################
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: jigaobo-role
# replace with namespace where provisioner is deployed
namespace: jigaobo-ns
rules:
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
---
####################################################################
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: jigaobo-role
# replace with namespace where provisioner is deployed
namespace: jigaobo-ns
subjects:
- kind: ServiceAccount
name: jigaobo
# replace with namespace where provisioner is deployed
namespace: jigaobo-ns
roleRef:
kind: Role
name: jigaobo-role
apiGroup: rbac.authorization.k8s.io
####################################################################
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: jigaobo-user-token
namespace: jigaobo-ns
annotations:
kubernetes.io/service-account.name: "jigaobo"
2、验证
验证role的权限:( 查看是否对名称空间有权限 )
kubectl auth can-i create pods --as=system:serviceaccount:jigaobo-ns:jigaobo
kubectl auth can-i delete pods --as=system:serviceaccount:jigaobo-ns:jigaobo
验证登录token:(查看到之后、拿着token去登录dashboard。)
kubectl get secret -A
kubectl describe secret -n jigaobo-ns jigaobo-user-token
3、创建kubeconfig文件
############################ 前置条件 ############################
1、对账号进行证书签发、需要指定这个csr文件
cat jigaobo-csr.json
{
"CN": "China",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
[root@k8s-31:/data/ServiceAccount]# cat ca-config.json #证书有效期
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
############################ 开始签发证书:############################
1:安装cfssl
# ln -sv /etc/kubeasz/bin/cfssl* /usr/bin/
2:生成ca文件、为了下一步生成证书pem和key文件。(根据jigaobo-csr.json文件生成)
#cfssl gencert -initca jigaobo-csr.json | cfssljson -bare ca
3:根据ca文件生成私钥和pem文件(以生成证书和私钥文件,并将它们保存为 jigaobo.crt 和 jigaobo.key 文件。 -bare 选项表示输出证书和私钥文件。)
# cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem -ca-key=/etc/kubernetes/ssl/ca-key.pem -config=./ca-config.json -profile=kubernetes jigaobo-csr.json | cfssljson -bare jigaobo
4:生成普通用户kubeconfig文件:(kubectl config get-clusters 查看集群的名称)
[root@k8s-31:/data/ServiceAccount]# kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/ssl/ca.pem --embed-certs=true --server=https://10.0.0.31:6443 --kubeconfig=jigaobo.kubeconfig
5:设置客户端认证参数:
# cp *.pem /etc/kubernetes/ssl/
# kubectl config set-credentials jigaobo \
--client-certificate=/etc/kubernetes/ssl/jigaobo.pem \
--client-key=/etc/kubernetes/ssl/jigaobo-key.pem \
--embed-certs=true \
--kubeconfig=jigaobo.kubeconfig
6:设置上下文参数(多集群使用上下文区分)
#cat jigaobo.kubeconfig | wc -l 执行前后查看一下行号、类似设置一些注释信息
#https://kubernetes.io/zh/docs/concepts/configuration/organize-cluster-access-kubeconfig/
# kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=jigaobo \
--namespace=jigoabo-ns \
--kubeconfig=jigaobo.kubeconfig
7: 设置默认上下文
# kubectl config use-context kubernetes --kubeconfig=jigaobo.kubeconfig
8: 查看token:( 然后将token写入jigaobo.kubeconfig文、后面就行使用了 )
# kubectl get secrets -n jigoabo-ns | grep jigaobo
# kubectl describe secrets -n jigaobo-ns jigaobo-user-token
9: vim打开jigaobo.kubeconfig(加入到最后一行、和上面的)
10: dashboard登录测试:
#通过查看svc对应的endpoint 然后访问nodeport端口、上传jigaobo.kubeconfig文件测试
浙公网安备 33010602011771号