创建k8s只读账户kube config

创建k8s只读账户kube config

部分临时场景想要给到开发、或者其他人员k8s集群的只读权限方便查看部分资源或日志,此时可以在k8s master机器上新建用户绑定k8s新kube config(config 绑定k8s集群角色、上下文) 即可实现、满足临时需求。

cfssl工具安装

mkdir /root/kube-reader
cd /root/kube-reader


wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
chmod +x cfssl_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
 
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x cfssljson_linux-amd64
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
 
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl-certinfo_linux-amd64
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo

证书配置生成

copy k8s ca到当前目录,配置devuser配置,并生成k8s config文件

  • copy ca
cp /etc/kubernetes/pki/ca.crt /root/kube-reader
cp /etc/kubernetes/pki/ca.key /root/kube-reader
cp /etc/kubernetes/pki/admin.conf /root/kube-reader
  • devuser-csr.json
{
  "CN": "devuser",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
  • ca-config.json
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ],
        "expiry": "87600h"
      }
    }
  }
}
  • 签发证书
cfssl gencert -ca=ca.crt -ca-key=ca.key -config=ca-config.json -profile=kubernetes devuser-csr.json | cfssljson -bare devuser
  • 效验确认
cfssl-certinfo -cert devuser.pem
  • 生成kube config文件

devuser.kubeconfig 为生成的可读kubeconfig配置文件 k8s-api-server 参见/root/.kube/conf, 保持一直 kubernetes 为 cat /etc/kubernetes/kubelet.conf中context下的cluster名对应的一致

kubectl config set-cluster kubernetes \
--certificate-authority=ca.crt \
--embed-certs=true \
--server=https://k8s-api-server:6443 \
--kubeconfig=devuser.kubeconfig

配置k8s集群角色绑定

  • 认证设置
kubectl config set-credentials devuser \
--client-certificate=devuser.pem \
--client-key=devuser-key.pem \
--embed-certs=true \
--kubeconfig=devuser.kubeconfig
  • 上下文设置
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=devuser \
--kubeconfig=devuser.kubeconfig
  • 设置默认上下文
kubectl config use-context kubernetes --kubeconfig=devuser.kubeconfig
  • 测试get pod
kubectl get po  --kubeconfig=./devuser.kubeconfig
# 提示没有权限先忽略,后边开始配置集群角色绑定

config集群角色绑定

  • secret readOnly示例配置 cat clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
    name: secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets","namespaces"]
  verbs: ["get", "watch", "list"]
  • 应用配置文件
kubectl apply -f clusterrole.yaml
  • 集群角色绑定
kubectl create clusterrolebinding devuser-secret --clusterrole=secret-reader --user=devuser
  • 效验查看
kubectl get secret --kubeconfig devuser.kubeconfig
  • 获取所有集群资源角色权限 kubectl get clusterrole view -o yaml
  • 给所有资源配置只读 clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
    name: secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets","namespaces"]
  verbs: ["get", "watch", "list"]
- apiGroups:
  - ""
  resources:
  - configmaps
  - endpoints
  - persistentvolumeclaims
  - persistentvolumeclaims/status
  - pods
  - replicationcontrollers
  - replicationcontrollers/scale
  - serviceaccounts
  - services
  - services/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - bindings
  - events
  - limitranges
  - namespaces/status
  - pods/log
  - pods/status
  - replicationcontrollers/status
  - resourcequotas
  - resourcequotas/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps
  resources:
  - controllerrevisions
  - daemonsets
  - daemonsets/status
  - deployments
  - deployments/scale
  - deployments/status
  - replicasets
  - replicasets/scale
  - replicasets/status
  - statefulsets
  - statefulsets/scale
  - statefulsets/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  - horizontalpodautoscalers/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - batch
  resources:
  - cronjobs
  - cronjobs/status
  - jobs
  - jobs/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  resources:
  - daemonsets
  - daemonsets/status
  - deployments
  - deployments/scale
  - deployments/status
  - ingresses
  - ingresses/status
  - networkpolicies
  - replicasets
  - replicasets/scale
  - replicasets/status
  - replicationcontrollers/scale
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  - poddisruptionbudgets/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  - ingresses/status
  - networkpolicies
  verbs:
  - get
  - list
  - watch
  • 应用配置kubectl apply -f clusterrole.yaml
  • 再次查看pod无错误权限提示。
kubectl get po  --kubeconfig=./devuser.kubeconfig

centos新建用户,并配置绑定默认kubelet config

  • 新建用户
adduser devuser
passwd devuser
  • 复制kube目录,并移提供新生产的配置文件
cp -r ~/.kube/ /home/devuser
chown  -R devuser:devuser /home/devuser/.kube/
cp devuser.kubeconfig /home/devuser/.kube/config
  • 之后使用devuser 登录操作kubelet命令就无需再增加--kubeconfig 参数了