创建k8s context
此前搭建好k8s集群后,现在准备为开发人员创建各自的context,防止公用k8s集群时误删他人container这种情况。
1.创建目录,并且进入工作目录:
mkdir -p /etc/k8s-conf.d/common mkdir -p /etc/k8s-conf.d/template cd /etc/k8s-conf.d
2.创建namespaces,如下:
kubectl create ns k8s-dev
kubectl create ns k8s-testing
k8s-dev以及k8s-testing作为公用的namespace,每个开发人员均可对k8s-dev以及k8s-testing进行操作,同时还用一个私有的namespace,名称就以中文姓名拼音,这样方便记忆;
可以将小组成员名字写入到一个lists.txt文件中,然后通过脚本批量创建namespaces,比如执行如下脚本:
cat lists.txt | gawk '{print "kubectl create ns " $0}' | sh
3.创建公共的context配置文件,通过common.sh脚本,如下:
#!/bin/bash
#创建common用户
#用户名
USER=$1
CLUSTER=k8s-cluster
NAMESPACE=$2
prefix=/etc/k8s-conf.d
CA_PATH=/etc/kubernetes/pki
#创建私钥并签署
function createKey {
mkdir -p $prefix/$1
cd $prefix/$1
echo "now create use $1"
(umask 077; openssl genrsa -out $1.key 2048)
openssl req -new -key $1.key -out $1.csr -subj "/CN=$1"
openssl x509 -req -in $1.csr -CA ${CA_PATH}/ca.crt -CAkey ${CA_PATH}/ca.key -CAcreateserial -out $1.crt -days 5000
openssl x509 -in $1.crt -text -noout
}
createKey $USER
#创建用户配置
function setCredentials {
#创建集群
kubectl config set-cluster $CLUSTER --server=https://10.254.18.2:6443 --certificate-authority=${CA_PATH}/ca.crt --embed-certs=true --kubeconfig=/etc/k8s-conf.d/common/config
#用户配置
kubectl config set-credentials $1 --client-certificate=$1.crt --client-key=$1.key --embed-certs=true --kubeconfig=/etc/k8s-conf.d/common/config
kubectl config set-context ctx-$1 --namespace=$NAMESPACE --cluster=$CLUSTER --user=$1 --kubeconfig=/etc/k8s-conf.d/common/config
}
setCredentials $USER
运行如下脚本:
bash common.sh k8s-dev k8s-dev bash common.sh k8s-testing k8s-testing
这将会创建user为k8s-dev、k8s-testing,context为ctx-k8s-dev、ctx-k8s-testing的配置文件,写在common目录下config文件中,之后创建的个人用户配置文件都会基于这个config文件进行添加。
4.创建用户私有context,通过user.sh,如下:
#!/bin/bash ###为实验室小组成员创建账号 #用户名 USER=$1 CLUSTER=k8s-cluster NAMESPACE=$1 prefix=/etc/k8s-conf.d CA_PATH=/etc/kubernetes/pki #初始化操作 function init { cp /etc/k8s-conf.d/common/config /etc/k8s-conf.d/common/$USER.conf mkdir -p $prefix/$USER cd $prefix/$USER } init #创建私钥并签署 function createKey { cd $prefix/$1 echo "now create use $1" (umask 077; openssl genrsa -out $1.key 2048) openssl req -new -key $1.key -out $1.csr -subj "/CN=$1" openssl x509 -req -in $1.csr -CA ${CA_PATH}/ca.crt -CAkey ${CA_PATH}/ca.key -CAcreateserial -out $1.crt -days 5000 openssl x509 -in $1.crt -text -noout } createKey $USER #创建用户配置 function setCredentials { #创建集群 kubectl config set-cluster $CLUSTER --server=https://10.254.18.2:6443 --certificate-authority=${CA_PATH}/ca.crt --embed-certs=true --kubeconfig=/etc/k8s-conf.d/common/$1.conf #用户配置 kubectl config set-credentials $1 --client-certificate=$1.crt --client-key=$1.key --embed-certs=true --kubeconfig=/etc/k8s-conf.d/common/$1.conf kubectl config set-context ctx-$1 --namespace=$NAMESPACE --cluster=$CLUSTER --user=$1 --kubeconfig=/etc/k8s-conf.d/common/$1.conf } setCredentials $USER
批量创建用户如下:
cat lists.txt | gawk '{print "bash user.sh " $0}' | sh
5.根据模板,为用户配置相关权限,模板在template目录下
template-role.yaml文件如下:
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: template name: template-role rules: - apiGroups: ["","extensions","apps","batch","autoscaling"] resources: ["deployments","services","jobs","crontabs","daemonsets","replicasets","statefulsets","horizontalpodautoscalers","replicationcontrollers","cronjobs"] verbs: ["get","list","watch","create","update","patch","delete","exec"] - apiGroups: [""] resources: ["pods","pods/log","pods/exec","endpoints","secrets","persistentvolumeclaims","configmaps"] verbs: ["get","list","watch","create","update","patch","delete","exec"] --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: namespace: template name: k8s-template-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: template-role subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: template
template-ClusterRole.yaml如下:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: template-ClusterRole rules: - apiGroups: ["","extensions","apps","batch","autoscaling","storage.k8s.io"] resources: ["*"] verbs: ["get","list","watch"] - apiGroups: [""] resources: ["nodes"] verbs: ["patch"] --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: k8s-template-ClusterRoleBinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: template-ClusterRole subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: template
可以根据需求修改role以及clusterrole权限,通过脚本role-init.sh创建role以及clusterrole:
#!/bin/bash ##创建role clusterrole并绑定 USER=$1 prefix=/etc/k8s-conf.d function modify { cp $prefix/template/template-role.yaml $prefix/$USER cp $prefix/template/template-ClusterRole.yaml $prefix/$USER cd $prefix/$USER rm -rf $USER-role*.yaml mv template-role.yaml $USER-role.yaml mv template-ClusterRole.yaml $USER-ClusterRole.yaml sed -i "s/template/$USER/" $USER-role.yaml sed -i "s/template/$USER/" $USER-ClusterRole.yaml kubectl delete -f $USER-ClusterRole.yaml kubectl create -f $USER-ClusterRole.yaml kubectl delete -f $USER-role.yaml kubectl create -f $USER-role.yaml } modify
运行如下命令,批量创建role以及clusterrole:
cat lists.txt | gawk '{print "bash role-init.sh " $0}' | sh
其中k8s-dev 以及k8s-testing需要单独处理,手动修改role.yaml以及ClusterRole.yaml文件然后运行kubectl create -f role.yaml 以及kubectl create -f ClusterRole.yaml即可,注意yaml文件中的namespace以及name即可。
最后,将common目录的*.conf文件交给小组成员即可,可以将common目录的conf后缀结尾的文件放到一个nginx下载目录下,通过web的下载形式提供给开发人员。
