用于配置集群访问的文件称为“kubeconfig 文件”
https://kubernetes.io/zh-cn/docs/concepts/configuration/organize-cluster-access-kubeconfig/
创建用户
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
| apiVersion: v1 kind: ServiceAccount metadata: name: readonly namespace: kube-system automountServiceAccountToken: true --- apiVersion: v1 kind: Secret metadata: name: readonly-secret namespace: kube-system annotations: kubernetes.io/service-account.name: readonly type: kubernetes.io/service-account-token
|
创建角色
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
| apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: readonly rules: - apiGroups: - "*" resources: - pods - pods/log - deployments - ingresses - namespaces - configmaps - services - endpoints - events verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - ingresses verbs: - list - watch - get - apiGroups: - extensions resources: - ingresses verbs: - list - watch - get - apiGroups: [""] resources: ["pods/exec"] verbs: ["create"]
|
创建角色绑定
1 2 3 4 5 6 7 8 9 10 11 12 13 14
| apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: readonly labels: k8s-app: readonly roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: readonly subjects: - kind: ServiceAccount name: readonly namespace: kube-system
|
获取token
1
| kubectl get secrets -n kube-system readonly-secret -o "jsonpath={.data.token}" | base64 -D
|
获取ca
1
| kubectl get secrets -n kube-system readonly-secret -o "jsonpath={.data['ca\.crt']}"
|
拼接kubeconfig
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
| apiVersion: v1 clusters: - cluster: certificate-authority-data: ***** server: https://ip:6443 name: kubernetes contexts: - context: cluster: kubernetes user: readonly name: readonly@kubernetes current-context: readonly@kubernetes kind: Config preferences: {} users: - name: readonly user: client-key-data: ****** token: *******
|
需注意:
client-key-data
和certificate-authority-data
是一致的