[k8s] 创建sa类型的kubeconfig
1.创建ClusterRole对整个集群的configmap有管理权限,在my-namespace1和my-namespace2创建RoleBinding,将ClusterRole绑定到default空间的sa账户
kubectl apply -f my-configmap.yaml ... --- apiVersion: v1 kind: ServiceAccount metadata: name: my-configmap-updater --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: configmap-updater rules: - apiGroups: [""] resources: ["configmaps"] verbs: ["create", "update", "patch", "get", "list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: configmap-updater namespace: my-namesapce1 subjects: - kind: ServiceAccount name: my-configmap-updater namespace: default apiGroup: "" roleRef: kind: ClusterRole name: configmap-updater apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: configmap-updater namespace: my-namesapce2 subjects: - kind: ServiceAccount name: my-configmap-updater namespace: default apiGroup: "" roleRef: kind: ClusterRole name: configmap-updater apiGroup: rbac.authorization.k8s.io
2.生成ca.crt
user=my-configmap-updater secret=$(kubectl get sa $user -o json | jq -r .secrets[].name) kubectl get secret $secret -o json | jq -r '.data["ca.crt"]' | base64 -d > ca.crt
3.准备user_token、api地址
user_token=$(kubectl get secret $secret -o json | jq -r '.data["token"]' | base64 -d) context=$(kubectl config current-context) cluster=$(kubectl config get-contexts $context | awk 'NR>1{print $3}') endpoint=$(kubectl config view -o jsonpath="{.clusters[?(@.name == \"$cluster\")].cluster.server}")
4.备份.kube/config,生成干净的config
mv ~/.kube/config ~/.kube/config.bak kubectl config set-cluster $cluster \ --embed-certs=true \ --server=$endpoint \ --certificate-authority=./ca.crt kubectl config set-credentials $user --token=$user_token kubectl config set-context $context \ --cluster=$cluster \ --user=$user kubectl config use-context $context
5.拷贝走新的.kube/config,还原.kube/config.bak
参考:https://stackoverflow.com/questions/42170380/how-to-add-users-to-kubernetes-kubectl