创建k8s只读账户kube config
部分临时场景想要给到开发、或者其他人员k8s集群的只读权限方便查看部分资源或日志,此时可以在k8s master机器上新建用户绑定k8s新kube config(config 绑定k8s集群角色、上下文) 即可实现、满足临时需求。
cfssl工具安装
mkdir /root/kube-reader
cd /root/kube-reader
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
chmod +x cfssl_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x cfssljson_linux-amd64
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl-certinfo_linux-amd64
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
证书配置生成
copy k8s ca到当前目录,配置devuser配置,并生成k8s config文件
- copy ca
cp /etc/kubernetes/pki/ca.crt /root/kube-reader
cp /etc/kubernetes/pki/ca.key /root/kube-reader
cp /etc/kubernetes/pki/admin.conf /root/kube-reader
- devuser-csr.json
{
"CN": "devuser",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
- ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
- 签发证书
cfssl gencert -ca=ca.crt -ca-key=ca.key -config=ca-config.json -profile=kubernetes devuser-csr.json | cfssljson -bare devuser
- 效验确认
cfssl-certinfo -cert devuser.pem
- 生成kube config文件
devuser.kubeconfig 为生成的可读kubeconfig配置文件 k8s-api-server 参见/root/.kube/conf, 保持一直 kubernetes 为 cat /etc/kubernetes/kubelet.conf中context下的cluster名对应的一致
kubectl config set-cluster kubernetes \
--certificate-authority=ca.crt \
--embed-certs=true \
--server=https://k8s-api-server:6443 \
--kubeconfig=devuser.kubeconfig
配置k8s集群角色绑定
- 认证设置
kubectl config set-credentials devuser \
--client-certificate=devuser.pem \
--client-key=devuser-key.pem \
--embed-certs=true \
--kubeconfig=devuser.kubeconfig
- 上下文设置
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=devuser \
--kubeconfig=devuser.kubeconfig
- 设置默认上下文
kubectl config use-context kubernetes --kubeconfig=devuser.kubeconfig
- 测试
get pod
kubectl get po --kubeconfig=./devuser.kubeconfig
# 提示没有权限先忽略,后边开始配置集群角色绑定
config集群角色绑定
secretreadOnly示例配置cat clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secrets","namespaces"]
verbs: ["get", "watch", "list"]
- 应用配置文件
kubectl apply -f clusterrole.yaml
- 集群角色绑定
kubectl create clusterrolebinding devuser-secret --clusterrole=secret-reader --user=devuser
- 效验查看
kubectl get secret --kubeconfig devuser.kubeconfig
- 获取所有集群资源角色权限
kubectl get clusterrole view -o yaml - 给所有资源配置只读
clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secrets","namespaces"]
verbs: ["get", "watch", "list"]
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- persistentvolumeclaims/status
- pods
- replicationcontrollers
- replicationcontrollers/scale
- serviceaccounts
- services
- services/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- controllerrevisions
- daemonsets
- daemonsets/status
- deployments
- deployments/scale
- deployments/status
- replicasets
- replicasets/scale
- replicasets/status
- statefulsets
- statefulsets/scale
- statefulsets/status
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
- horizontalpodautoscalers/status
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- cronjobs/status
- jobs
- jobs/status
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- daemonsets/status
- deployments
- deployments/scale
- deployments/status
- ingresses
- ingresses/status
- networkpolicies
- replicasets
- replicasets/scale
- replicasets/status
- replicationcontrollers/scale
verbs:
- get
- list
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
- poddisruptionbudgets/status
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- ingresses/status
- networkpolicies
verbs:
- get
- list
- watch
- 应用配置
kubectl apply -f clusterrole.yaml - 再次查看pod无错误权限提示。
kubectl get po --kubeconfig=./devuser.kubeconfig
centos新建用户,并配置绑定默认kubelet config
- 新建用户
adduser devuser
passwd devuser
- 复制
kube目录,并移提供新生产的配置文件
cp -r ~/.kube/ /home/devuser
chown -R devuser:devuser /home/devuser/.kube/
cp devuser.kubeconfig /home/devuser/.kube/config
- 之后使用
devuser登录操作kubelet命令就无需再增加--kubeconfig参数了