kuconfig分配namespace权限设置

创建role、rolebinding

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: YOUR_NAME
  namespace: YOUR_NAME
rules:
- apiGroups:
  - "*"
  resources:
  - "*"
  verbs:
  - "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: YOUR_NAME
  namespace: YOUR_NAME
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: YOUR_NAME
subjects:
- kind: ServiceAccount
  name: YOUR_NAME
  namespace: YOUR_NAME
---

1、创建serviceaccount
kubectl  create sa  NAME    -n    NAMESPACE

2、获取sa账号secret，1.25版本后不会生成关联创建secset，需要手动创建
kubectl  get  secret -n   NAMESPACE 

3、创建secret，若已经存在请忽略
secret yaml

apiVersion: v1
kind: Secret
metadata:
  namespace: NAMESPACE
  name: NAME
  annotations:
    kubernetes.io/service-account.name: NAME
type: kubernetes.io/service-account-token

4、使用secret的token导出证书
kubectl get secret NAME -n NAMESPACE  -oyaml |grep ca.crt:|awk '{print $2}' |sed '$d'|base64 -d > /tmp/certs/ca.crt
版本不同awk、sed需要改动

5、创建cluster以及访问的api server
内网
kubectl config set-cluster NAME --server=https://APISERVER:PORT --certificate-authority=/tmp/certs/ca.crt --embed-certs=true --kubeconfig=/tmp/config
外网
kubectl config set-cluster NAME --server=https://APISERVER:PORT --kubeconfig=/home/NAME/config --insecure-skip-tls-verify=true

6、获取secret的token
token=`kubectl describe secret NAME -n NAMESPACE   | awk '/token:/{print $2}'`

7、使用刚才获取的token创建认证用户
kubectl config set-credentials NAME --token=$token --kubeconfig=/tmp/config

8、创建context，关联认证用户、集群
kubectl config set-context NAME --cluster=NAME --user=NAME --kubeconfig=/tmp/config

9、切换context
kubectl config use-context NAME --kubeconfig=/tmp/config