kubernetes权限设置-kubeconfig和token相

2022-09-13 本文已影响0人大鹏一怒乘风起

创建serviceaccount服务

kubectl -n default create serviceaccount rdc-test

以yaml方式创建serviceaccount服务并设置Role及 Role Binding

apiVersion: v1
kind: Secret
metadata:
  name: rdc-test-certs
  namespace: default
type: Opaque
---
# ------------------- Dashboard Service Account ------------------- #

apiVersion: v1
kind: ServiceAccount
metadata:
  name:  rdc-test
  namespace: default

---
# ------------------- Dashboard Role & Role Binding ------------------- #

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: rdc-test1
  namespace: default
rules:
  - apiGroups: 
      - "*" 
    resources: 
      - "*" 
    verbs: 
      - "list"
      - "get" 
      - "watch" 
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: rdc-test
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: rdc-test1
subjects:
- kind: ServiceAccount
  name: rdc-test
  namespace: default

这里会涉及到权限相关的内容，上面的角色权限是只读的权限，如果需要pod相关的管理权限，可以把rules修改下，

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: rdc-test1
  namespace: default
rules:
  - apiGroups: 
      - "*" 
    resources: 
      - "*" 
    verbs: 
      - "list"
      - "get" 
      - "watch" 
  - apiGroups:
       - ""
    resources:
      - "pods""
      - "pods/attach"
      - "pods/exec"
      - "pods/portforward"
      - "pods/proxy"
    verbs:
      - "create"
      - "delete"
      - "deletecollection"
      - "patch"

执行以下脚本，需要获取相关的环境变量以生成kubeconfig文件

export USER_TOKEN_NAME=$(kubectl -n default get serviceaccount rdc-test -o=jsonpath='{.secrets[0].name}')
export USER_TOKEN_VALUE=$(kubectl -n default get secret/${USER_TOKEN_NAME} -o=go-template='{{.data.token}}' | base64 --decode)
export CURRENT_CONTEXT=$(kubectl config current-context)
export CURRENT_CLUSTER=$(kubectl config view --raw -o=go-template='{{range .contexts}}{{if eq .name "'''${CURRENT_CONTEXT}'''"}}{{ index .context "cluster" }}{{end}}{{end}}')
export CLUSTER_CA=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}"{{with index .cluster "certificate-authority-data" }}{{.}}{{end}}"{{ end }}{{ end }}')
export CLUSTER_SERVER=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}{{ .cluster.server }}{{end}}{{ end }}')

执行以下脚本，以生成kubeconfig文件

cat << EOF > rdc-config
apiVersion: v1
kind: Config
current-context: ${CURRENT_CONTEXT}
contexts:
- name: ${CURRENT_CONTEXT}
  context: 
    cluster: ${CURRENT_CONTEXT}
    user: kommander-cluster-admin 
  namespace: kube-system
clusters:
- name: ${CURRENT_CONTEXT}
  cluster:
    certificate-authority-data: ${CLUSTER_CA}
    server: ${CLUSTER_SERVER}
users:
- name: kommander-cluster-admin 
  user: 
    token: ${USER_TOKEN_VALUE}
EOF

生成token以支持访问dashboard或者api

 kubectl describe secret rdc-token | grep -E '^token'

kubernetes权限设置-kubeconfig和token相

创建serviceaccount服务

以yaml方式创建serviceaccount服务并设置Role及 Role Binding

执行以下脚本，需要获取相关的环境变量以生成kubeconfig文件

执行以下脚本，以生成kubeconfig文件

生成token以支持访问dashboard或者api

猜你喜欢

热点阅读