使用以下脚本可以创建一个只对某个命令空间可以执行命令的kubeconfig文件,具体所需权限可以自己调整yaml文件内容
#!/bin/bash
Usage() {
echo "$0 <user> <namespace> <cluster_name> <master_server> <exprie_days> <org>"
exit 1
}
if [[ $# -ne 6 ]];then
Usage
fi
user=$1
shift
namespace=$1
shift
cluster_name=$1
shift
master_server=$1
shift
expire_days=$1
shift
organization=$1
shift
mkdir -p /etc/kubernetes/pki/users
cd /etc/kubernetes/pki/users
echo '[ req ]
default_bits = 2048
default_md = sha256
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_ca ]
basicConstraints = critical, CA:TRUE
keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign
[ v3_req_server ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ v3_req_client ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth' >openssl.cnf
openssl genrsa -out $user.key 2048
openssl req -new -key $user.key -subj "/CN=$user/O=$organization" -out $user.csr
openssl x509 -req -in $user.csr -CA ../ca.crt -CAkey ../ca.key -CAcreateserial -extensions v3_req_client -extfile openssl.cnf -out $user.crt -days $expire_days
export KUBE_APISERVER="$master_server"
kubectl config set-cluster $cluster_name \
--certificate-authority=../ca.crt \
--server=${KUBE_APISERVER} \
--embed-certs=true \
--kubeconfig=$user
kubectl config set-credentials $user \
--client-certificate=$user.crt \
--client-key=$user.key \
--embed-certs=true \
--kubeconfig=$user
kubectl config set-context $cluster_name \
--cluster=$cluster_name \
--namespace=$namespace \
--user=$user \
--kubeconfig=$user
kubectl config use-context $cluster_name --kubeconfig=$user
mkdir -p /etc/kubernetes/pki/grant
cd /etc/kubernetes/pki/grant
echo "---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: $user
namespace: $namespace
labels:
rbac.$organization/name: $user
rules:
- apiGroups:
- \"\"
resources:
- pods
- pods/attach
- pods/exec
- pods/log
- pods/status
- configmaps
- services
- replicationcontrollers
verbs:
- get
- list
- watch
- create
- describe
- delete
- patch
- apiGroups:
- \"\"
resources:
- nodes
verbs:
- get
- list
- apiGroups:
- batch
resources:
- jobs
- cronjobs
verbs:
- get
- list
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- apiGroups:
- extensions
- apps
resources:
- deployments
- deployments/status
- replicasets
- replicasets/status
- statefulsets
- statefulsets/status
- daemonsets
- daemonsets/status
- ingresses
- ingresses/status
verbs:
- get
- list
- watch
- describe
- create
- update
- delete
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: $user
namespace: $namespace
labels:
rbac.$organization/name: $user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: $user
subjects:
- kind: User
name: $user
apiGroup: rbac.authorization.k8s.io
namespace: $namespace
- kind: ServiceAccount
name: $user
namespace: $namespace
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: $user
namespace: $namespace" > k8s_create_kubeconfig_$user.yaml
如果是用kubeadm创建的集群,使用以下命令,创建一个用户名为test-viewer 的,有效期为一年的,apiserver地址是https://k8sapi:6443的kubeconfig 文件
cd /etc/kubernetes/pki/grant
./create_k8s_account.sh test-viewer test-namespace kubernetes https://k8sapi:6443 365 test
kubectl apply -f k8s_create_kubeconfig_test-viewer.yaml