使用kubeconfig实现集群管理
使用kubeconfig,role、clusterrole、rolebinding、clusterrolebinding
1.1设置一个集群项:
kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.pem --embed-certs=true --server=https://10.16.81.99:8443 --kubeconfig=/etc/kubernetes/xiaohua.kubeconfig
1.2设置一个上下文环境项:
kubectl config set-context xiaohua@kubernetes --cluster=kubernetes --user=xiaohua --kubeconfig=/etc/kubernetes/xiaohua.kubeconfig
1.3设置一个用户项:
用户使用sa
kubectl config set-credentials xiaohua --token=$XIAOHUA_TOKEN --kubeconfig=/etc/kubernetes/xiaohua.kubeconfig
XIAOHUA_TOKEN=$(kubectl get secret xiaohua-token-n2pll -nkube-user -ojsonpath={.data.token}|base64 -d)
1.4设置为当前上下文:
kubectl config use-context system:kube-controller-manager@kubernetes \ --kubeconfig=/etc/kubernetes/controller-manager.kubeconfig
1.5查看:
kubectl config view --kubeconfig=xiaohua.kubeconfig
2验证:
2.1 先给用户配置clusterrole,和绑定clusterrolebinding
[root@sck8smaster01 kubernetes]# kubectl describe clusterrole namespace-readonly
Name: namespace-readonly
Labels: <none>
Annotations: PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
namespaces [] [] [get watch list]
pods [] [] [get watch list]
[root@sck8smaster01 kubernetes]# kubectl describe clusterrolebinding nsro
Name: nsro
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: namespace-readonly
Subjects:
Kind Name Namespace
---- ---- ---------
Group system:serviceaccounts:kube-user
2 .2命令行: 在可与集群ping通的机器验证权限:kubectl --kubeconfig=xiaohua.kubeconfig get pod
2.3使用kubeconfig登录dashiboard;使用token登录dashboard验证权限绑定 (set cluster不是原来的kubernetes后dashboard登录成功)
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://10.16.81.99:8443
name: heihei
contexts:
- context:
cluster: heihei
user: xiaohei
name: xiaohei@heihei
current-context: xiaohei@heihei
kind: Config
preferences: {}
users:
- name: xiaohei
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6Im83T0FNS2pBeGdoeWxfTHppWUg0NVV2SkdXS1diRmZsOXF5NUh0NHlWSzAifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoieGlhb2hlaS10b2tlbi1mNzY3ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJ4aWFvaGVpIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMzA1M2U5MDYtOThkMC00MWIyLTlkYWEtOTk4MDdjNGQ1ZDFjIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtdXNlcjp4aWFvaGVpIn0.OsPMIXE3dbF_FO9sMotnbL08lcCzACbhap1T-53dvoBlUri8gl9Tb-da_8NrW2g5NQgHwxUOQpkJNaNnUs_5cuj_rgWnb6WNNyBMKDBJ9OmtSOcA2bzb5J2NCTjDDvNUW78OBM1xfJNihaN5Urw7RHpKTXKAqI9a9DYf6NY0nXLdOJHTgdKxa9utr2aE3oY08_dPWS_0VdU_GnNYbh00KCHK2huf8-cnQmlIba06xTYk4MToYfYx1SCGrmdqqeuCfOO06Yuoy5YVlN_Fni5kVZ8uIA-DBzELmGQYjSbV8Xagjm82MuNPjKeTLZsgmyRB-D4WO0HF783NCUXLt95aeQ