0%

k8s-生成kubeconfig

用于配置集群访问的文件称为“kubeconfig 文件”

https://kubernetes.io/zh-cn/docs/concepts/configuration/organize-cluster-access-kubeconfig/

创建用户

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
apiVersion: v1
kind: ServiceAccount
metadata:
name: readonly
namespace: kube-system
automountServiceAccountToken: true
---
apiVersion: v1
kind: Secret
metadata:
name: readonly-secret
namespace: kube-system
annotations:
kubernetes.io/service-account.name: readonly
type: kubernetes.io/service-account-token

创建角色

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: readonly
rules:
- apiGroups:
- "*"
resources:
- pods
- pods/log
- deployments
- ingresses
- namespaces
- configmaps
- services
- endpoints
- events
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- list
- watch
- get
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- list
- watch
- get
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]

创建角色绑定

1
2
3
4
5
6
7
8
9
10
11
12
13
14
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: readonly
labels:
k8s-app: readonly
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: readonly
subjects:
- kind: ServiceAccount
name: readonly
namespace: kube-system

获取token

1
kubectl get secrets -n kube-system readonly-secret -o "jsonpath={.data.token}" | base64 -D

获取ca

1
kubectl get secrets -n kube-system readonly-secret -o "jsonpath={.data['ca\.crt']}"

拼接kubeconfig

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: *****
server: https://ip:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: readonly
name: readonly@kubernetes
current-context: readonly@kubernetes
kind: Config
preferences: {}
users:
- name: readonly
user:
client-key-data: ******
token: *******

需注意:

  1. client-key-datacertificate-authority-data是一致的