k8s 创建只能管理特定命名空间资源的 kubeconfig

目标

• 创建新命名空间 tommy
• 创建只能管理 tommy 命名空间下资源的 kubeconfig

步骤

创建密钥

openssl genrsa -out tommy.key 2048

为密钥创建证书签名申请（CSR）

openssl req -new -key tommy.key -out tommy.csr -subj "/CN=tommy/O=student"
# 用户名：tommy
# 组：student

将证书签名申请提交到 k8s

kubectl apply -f - <<EOF
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: tommy
spec:
  groups:
  - system:authenticated
  request: $(openssl base64 -e -A < tommy.csr)
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - client auth
EOF

k8s 批准签名申请，生成（已签名）证书

kubectl certificate approve tommy

导出证书

kubectl get certificatesigningrequests/tommy -o jsonpath='{.status.certificate}' | openssl base64 -d -A >tommy.crt

删除证书签名申请

rm tommy.csr
kubectl delete certificatesigningrequests/tommy

生成新的 kubeconfig

kubectl config view --raw -o json | python3 -c '
import base64
import json
import sys

user_name = "tommy"
with open(user_name + ".key") as f:
    ckd = base64.b64encode(f.read().encode()).decode()
with open(user_name + ".crt") as f:
    ccd = base64.b64encode(f.read().encode()).decode()

config = json.loads(sys.stdin.read())
for context in config["contexts"]:
    if context["name"] == config["current-context"]:
        context = context["context"]
        break
else:
    assert False
for cluster in config["clusters"]:
    if cluster["name"] == context["cluster"]:
        cluster = cluster["cluster"]
        break
else:
    assert False
sys.stdout.write(
    """\
apiVersion: v1
kind: Config
current-context: default
contexts:
- name: default
  context:
    cluster: default
    user: {user_name}
    namespace: {user_name}
clusters:
- name: default
  cluster:
    server: {s}
    certificate-authority-data: {cad}
users:
- name: {user_name}
  user:
    client-key-data: {ckd}
    client-certificate-data: {ccd}
""".format(
        user_name=user_name,
        s=cluster["server"],
        cad=cluster["certificate-authority-data"],
        ckd=ckd,
        ccd=ccd,
    )
)
' > tommy.kubeconfig

创建 tommy 命名空间

kubectl create namespace tommy

在命名空间创建 admin 角色

kubectl apply -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: tommy
  name: admin
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
EOF

a）创建角色绑定，将（tommy 命名空间的）admin 角色绑定到用户 tommy 上

kubectl apply -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  namespace: tommy
  name: tommy
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: tommy
EOF

b）创建角色绑定，将（tommy 命名空间的）admin 角色绑定到组 student 上

kubectl apply -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  namespace: tommy
  name: tommy
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: student
EOF

a、b二选一

测试

KUBECONFIG=./tommy.kubeconfig kubectl get pods
# 输出
# No resources found in tommy namespace.

没有报错表示成功