k8s 上下文切换实现用户与集群切换
命令指南
[root@master-1 kubectl-rbac]# kubectl config Modify kubeconfig files using subcommands like "kubectl config set current-context my-context" The loading order follows these rules: 1. If the --kubeconfig flag is set, then only that file is loaded. The flag may only be set once and no merging takes place. 2. If $KUBECONFIG environment variable is set, then it is used as a list of paths (normal path delimiting rules for your system). These paths are merged. When a value is modified, it is modified in the file that defines the stanza. When a value is created, it is created in the first file that exists. If no files in the chain exist, then it creates the last file in the list. 3. Otherwise, ${HOME}/.kube/config is used and no merging takes place. Available Commands: current-context 显示 current_context delete-cluster 删除 kubeconfig 文件中指定的集群 delete-context 删除 kubeconfig 文件中指定的 context delete-user Delete the specified user from the kubeconfig get-clusters 显示 kubeconfig 文件中定义的集群 get-contexts 描述一个或多个 contexts get-users Display users defined in the kubeconfig rename-context Renames a context from the kubeconfig file. set 设置 kubeconfig 文件中的一个单个值 set-cluster 设置 kubeconfig 文件中的一个集群条目 set-context 设置 kubeconfig 文件中的一个 context 条目 set-credentials 设置 kubeconfig 文件中的一个用户条目 unset 取消设置 kubeconfig 文件中的一个单个值 use-context 设置 kubeconfig 文件中的当前上下文 view 显示合并的 kubeconfig 配置或一个指定的 kubeconfig 文件
查看当前上下文配置
[root@master-1 ~]# kubectl config view apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://192.168.43.129:6443 name: kubernetes contexts: - context: cluster: kubernetes user: cluster-admin name: default current-context: default kind: Config preferences: {} users: - name: cluster-admin user: client-certificate-data: REDACTED client-key-data: REDACTED
查看当前上下文:
kubectl config current-context
列出所有上下文:
kubectl config get-contexts
切换上下文:
kubectl config use-context <context-name>
示例:
用户切换
1. 设置用户的上下文
kubectl config set-credentials zhangsan \ # 用户名 --client-certificate=/opt/tls/k8s/zhangsan.pem \ # 客户端私钥 --client-key=/opt/tls/k8s/zhangsan-key.pem \ # 客户端公钥 --embed-certs=true # 将证书嵌入到上下文,如果不嵌入则使用的是证书路径
2. 添加上下文(用户与集群绑定)
kubectl config set-context zhangsan \ # 上下文名称 --cluster=kubernetes \ # 集群名称 --user=zhangsan # 用户
将上下文权限限制到命名空间
1. 设置集群
kubectl config set-cluster kubernetes \ --certificate-authority=/opt/kubernetes/ssl/ca.pem \ --embed-certs=true \ --server=192.168.43.129:6443
2. 设置用户上下文
2.1 创建用户
cat app-csr.json { "CN": "app", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "ShangHai", "ST": "ShangHai", "O": "app-team", "OU": "dev" } ] }
2.2 生成证书
cfssl gencert -ca=/opt/tls/k8s/ca.pem -ca-key=/opt/tls/k8s/ca-key.pem -config=/opt/tls/k8s/ca-config.json -profile=kubernetes app-csr.json | cfssljson -bare app 2024/12/31 11:36:59 [INFO] generate received request 2024/12/31 11:36:59 [INFO] received CSR 2024/12/31 11:36:59 [INFO] generating key: rsa-2048 2024/12/31 11:37:00 [INFO] encoded CSR 2024/12/31 11:37:00 [INFO] signed certificate with serial number 192558839923337440471345677367883156269965012359 2024/12/31 11:37:00 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements").
]# ll 总用量 16 -rw-r--r-- 1 root root 997 12月 31 11:37 app.csr -rw-r--r-- 1 root root 220 12月 31 11:35 app-csr.json -rw------- 1 root root 1675 12月 31 11:37 app-key.pem -rw-r--r-- 1 root root 1399 12月 31 11:37 app.pem
2.3 设置用户上下文
]# kubectl config set-credentials app \ > --client-certificate=/opt/k8s/rbac/app/app.pem \ > --client-key=/opt/k8s/rbac/app/app-key.pem \ > --embed-certs=true User "app" set.
3. 设置上下文
]# kubectl config set-context app \ --cluster=kubernetes \ --user=app \ --namespace=app Context "app" created.
4. 查看上下文详情
]# kubectl config view apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://192.168.43.129:6443 name: kubernetes contexts: - context: cluster: kubernetes namespace: app user: app name: app - context: cluster: kubernetes user: cluster-admin name: default # 此上下文没有命名空间 - context: cluster: kubernetes namespace: dev user: dev name: dev - context: cluster: kubernetes user: zhangsan # 没有限制命名空间 name: zhangsan current-context: app kind: Config preferences: {} users: - name: cluster-admin user: client-certificate-data: REDACTED client-key-data: REDACTED - name: zhangsan user: client-certificate-data: REDACTED client-key-data: REDACTED
5. 查看上下文列表
kubectl config get-contexts CURRENT NAME CLUSTER AUTHINFO NAMESPACE app kubernetes app app * default kubernetes cluster-admin zhangsan kubernetes zhangsan
6. 设置用户权限
# 如果觉得admin权限太大,创建自定义role和rolebinding
cat /opt/k8s/rbac/app/rbac/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: ns-app-role namespace: app rules: - apiGroups: [""] resources: ["*"] verbs: ["get", "list", "create", "update", "patch", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: ns-app-rolebinding namespace: app roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: admin # 使用rolebinding将clusterrole降级,限制到某一个namespace内 subjects: - kind: User name: app apiGroup: rbac.authorization.k8s.io
7. 切换到zhangsan的上下文
kubectl config use app Switched to context "app".
]# kubectl config get-contexts CURRENT NAME CLUSTER AUTHINFO NAMESPACE * app kubernetes app app default kubernetes cluster-admin zhangsan kubernetes zhangsan
8. 验证app的权和dev权限
由于绑定的是admin权限,所以拥有app命名空间下所有权限。
kubectl apply -f /opt/app/nginx/hostpath/nginx-configmap-deployment.yaml deployment.apps/nginx-configmap created service/nginx-configmap created kubectl delete pod nginx-configmap-5cc7c79987-cfcq7 # 对于自己拥有的权限的资源,可以省略 -n namespacename pod "nginx-configmap-5cc7c79987-cfcq7" deleted kubectl get pod -w -A Error from server (Forbidden): pods is forbidden: User "app" cannot list resource "pods" in API group "" at the cluster scope [root@master-1 rbac]# kubectl get pod -n default Error from server (Forbidden): pods is forbidden: User "app" cannot list resource "pods" in API group "" in the namespace "default"
列出当前上下文的所有权限
kubectl auth can-i --list -n app Resources Non-Resource URLs Resource Names Verbs rolebindings.rbac.authorization.k8s.io [] [] [create delete deletecollection get list patch update watch] roles.rbac.authorization.k8s.io [] [] [create delete deletecollection get list patch update watch] configmaps [] [] [create delete deletecollection patch update get list watch] endpoints [] [] [create delete deletecollection patch update get list watch] persistentvolumeclaims [] [] [create delete deletecollection patch update get list watch] pods [] [] [create delete deletecollection patch update get list watch] replicationcontrollers/scale [] [] [create delete deletecollection patch update get list watch] replicationcontrollers [] [] [create delete deletecollection patch update get list watch] services [] [] [create delete deletecollection patch update get list watch] daemonsets.apps [] [] [create delete deletecollection patch update get list watch] deployments.apps/scale [] [] [create delete deletecollection patch update get list watch] deployments.apps [] [] [create delete deletecollection patch update get list watch] replicasets.apps/scale [] [] [create delete deletecollection patch update get list watch] replicasets.apps [] [] [create delete deletecollection patch update get list watch] statefulsets.apps/scale [] [] [create delete deletecollection patch update get list watch] statefulsets.apps [] [] [create delete deletecollection patch update get list watch] horizontalpodautoscalers.autoscaling [] [] [create delete deletecollection patch update get list watch] cronjobs.batch [] [] [create delete deletecollection patch update get list watch] jobs.batch [] [] [create delete deletecollection patch update get list watch] daemonsets.extensions [] [] [create delete deletecollection patch update get list watch] deployments.extensions/scale [] [] [create delete deletecollection patch update get list watch] deployments.extensions [] [] [create delete deletecollection patch update get list watch] ingresses.extensions [] [] [create delete deletecollection patch update get list watch] networkpolicies.extensions [] [] [create delete deletecollection patch update get list watch] replicasets.extensions/scale [] [] [create delete deletecollection patch update get list watch] replicasets.extensions [] [] [create delete deletecollection patch update get list watch] replicationcontrollers.extensions/scale [] [] [create delete deletecollection patch update get list watch] ingresses.networking.k8s.io [] [] [create delete deletecollection patch update get list watch] networkpolicies.networking.k8s.io [] [] [create delete deletecollection patch update get list watch] poddisruptionbudgets.policy [] [] [create delete deletecollection patch update get list watch] deployments.apps/rollback [] [] [create delete deletecollection patch update] deployments.extensions/rollback [] [] [create delete deletecollection patch update] localsubjectaccessreviews.authorization.k8s.io [] [] [create] selfsubjectaccessreviews.authorization.k8s.io [] [] [create] selfsubjectrulesreviews.authorization.k8s.io [] [] [create] pods/attach [] [] [get list watch create delete deletecollection patch update] pods/exec [] [] [get list watch create delete deletecollection patch update] pods/portforward [] [] [get list watch create delete deletecollection patch update] pods/proxy [] [] [get list watch create delete deletecollection patch update] secrets [] [] [get list watch create delete deletecollection patch update] services/proxy [] [] [get list watch create delete deletecollection patch update] bindings [] [] [get list watch] events [] [] [get list watch] limitranges [] [] [get list watch] namespaces/status [] [] [get list watch] namespaces [] [] [get list watch] persistentvolumeclaims/status [] [] [get list watch] pods/log [] [] [get list watch] pods/status [] [] [get list watch] replicationcontrollers/status [] [] [get list watch] resourcequotas/status [] [] [get list watch] resourcequotas [] [] [get list watch] services/status [] [] [get list watch] controllerrevisions.apps [] [] [get list watch] daemonsets.apps/status [] [] [get list watch] deployments.apps/status [] [] [get list watch] replicasets.apps/status [] [] [get list watch] statefulsets.apps/status [] [] [get list watch] horizontalpodautoscalers.autoscaling/status [] [] [get list watch] cronjobs.batch/status [] [] [get list watch] jobs.batch/status [] [] [get list watch] daemonsets.extensions/status [] [] [get list watch] deployments.extensions/status [] [] [get list watch] ingresses.extensions/status [] [] [get list watch] replicasets.extensions/status [] [] [get list watch] nodes.metrics.k8s.io [] [] [get list watch] pods.metrics.k8s.io [] [] [get list watch] ingresses.networking.k8s.io/status [] [] [get list watch] poddisruptionbudgets.policy/status [] [] [get list watch] [/api/*] [] [get] [/api] [] [get] [/apis/*] [] [get] [/apis] [] [get] [/healthz] [] [get] [/healthz] [] [get] [/livez] [] [get] [/livez] [] [get] [/openapi/*] [] [get] [/openapi] [] [get] [/readyz] [] [get] [/readyz] [] [get] [/version/] [] [get] [/version/] [] [get] [/version] [] [get] [/version] [] [get] serviceaccounts [] [] [impersonate create delete deletecollection patch update get list watch]
集群之间切换
1. 设置集群的上下文,实现切换不同集群
KUBE_APISERVER="https://192.168.0.190:6888" # 其他集群地址 kubectl config set-cluster test-kubernetes \ # 其他集群 --certificate-authority=/opt/kubernetes/ssl/ca.pem \ --embed-certs=true \ --server=${KUBE_APISERVER} kubectl config set-credentials admin \ --client-certificate=/opt/kubernetes/ssl/admin.pem \ --client-key=/opt/kubernetes/ssl/admin.pem \ --embed-certs=true kubectl config set-context test-dashboard-context\ --cluster=test-kubernetes \ --user=admin
越学越感到自己的无知
