在很多時(shí)候隧膘,開(kāi)發(fā)人員需要查看服務(wù)部署的詳細(xì)信息骤宣,但不需要寫(xiě)權(quán)限柏蘑,這時(shí)雀瓢,我們就可以生成只讀的kubeconfig文件
1. 下載安裝cfssl工具
https://github.com/cloudflare/cfssl哨查,cfssl采用go編寫(xiě)顽频,需要在本地有g(shù)o環(huán)境毙沾,然后根據(jù)github的文檔就行編譯即可
2. 創(chuàng)建證書(shū)文件
cat readonly-ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
創(chuàng)建ca證書(shū)簽名請(qǐng)求文件
cat readonly-csr.json
{
"CN": "readonly",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "bj",
"L": "bj",
"O": "readonly-group",
"OU": "System"
}
]
}
CN:為Common Name窑睁,api-server會(huì)取cn字段作為User名稱(chēng)(k8s本身不維護(hù)User信息)
O:Organization,api-server從證書(shū)中取該字段作為Group名稱(chēng)
生成CA證書(shū)和私鑰
ca.crt:master節(jié)點(diǎn)上/etc/kubernetes/pki文件夾下的證書(shū)(k8s的根證書(shū)RootCA)
ca.key: master節(jié)點(diǎn)上/etc/kubernetes/pki文件夾下的私鑰(k8s的根證書(shū)的私鑰)
cfssl gencert -ca=./ca.crt -ca-key=./ca.key -config=./read-ca-config.json -profile=kubernetes readonly-csr.json | cfssljson -bare readonly
回生成如下幾個(gè)文件:
readonly-key.pem # 私鑰
readonly.csr # 簽名請(qǐng)求
readonly.pem # 證書(shū)
生成kubeconfig文件
readonly.conf文件中的cluster信息需要從其他文件中拷貝過(guò)來(lái)(如admin.conf托慨,搭建k8s集群時(shí)會(huì)生成admin證書(shū))
# 拷貝admin文件信息到readonly
cat admin.conf > readonly.conf
# 設(shè)置用戶信息
kubectl config set-credentials readonly --client-certificate=readonly.pem --client-key=readonly-key.pem --embed-certs=true --kubeconfig=readonly.conf
# 設(shè)置上下文信息
kubectl config set-context kubernetes --cluster=kubernetes --user=readonly --kubeconfig=readonly.conf
# 設(shè)置當(dāng)前的上下文
kubectl config use-context kubernetes --kubeconfig=readonly.conf
在k8s集群中創(chuàng)建readonly-group用戶組并綁定view角色
cat readonly.yaml
view clusterrole是k8s默認(rèn)的集群只讀的角色鼻由,也可以自己創(chuàng)建role或者clusterrole
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: readonly
subjects:
- kind: Group
name: readonly-group
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io
執(zhí)行完apply之后,view和readonly-group的就做了角色綁定了
kubectl apply -f readonly.yaml
使用kubectl --kubeconfig=readonly.conf get pods 不報(bào)錯(cuò)厚棵,說(shuō)明readonly文件就生成成功了
