大海星

创建一个具有只读权限的 kubeconfig

2023/10/13 k8s 共 1890 字,约 6 分钟

1. 创建 ServiceAccount

它将作为 kubeconfig 中的 user。由于它是创建在 kube-system 这个命名空间中,故这是一个集群范围的 ServiceAccount。 如果想限定到某个 namespace, 那么在创建 ServiceAccount 时需要指定非 kube-system 的命令空间

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: readonly-serviceaccount
  namespace: kube-system

---
apiVersion: v1
kind: Secret
metadata:
  name: readonly-secret
  namespace: kube-system
  annotations:
    kubernetes.io/service-account.name: readonly-serviceaccount # required
type: kubernetes.io/service-account-token # required

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: readonly-role
rules:
  - apiGroups: [""]
    resources:
      - nodes
      - nodes/proxy
      - services
      - endpoints
      - pods
    verbs: ["get", "list", "watch"]
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs: ["get", "list", "watch"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: readonly-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: readonly-role
subjects:
  - kind: ServiceAccount
    name: readonly-serviceaccount
    namespace: kube-system

2. 获取 secret

export SA_SECRET_TOKEN=$(kubectl -n kube-system get secret/readonly-secret -o=go-template='' | base64 --decode)
export CLUSTER_NAME=$(kubectl config current-context)
export CURRENT_CLUSTER=$(kubectl config view --raw -o jsonpath='{range.contexts[?(@.name=="'"${CLUSTER_NAME}"'")]}{.context.cluster}{end}')
export CLUSTER_CA_CERT=$(kubectl config view --raw -o jsonpath='{.clusters[?(@.name=="'"${CURRENT_CLUSTER}"'")].cluster.certificate-authority-data}')
export CLUSTER_ENDPOINT=$(kubectl config view --raw -o jsonpath='{.clusters[?(@.name=="'"${CURRENT_CLUSTER}"'")].cluster.server}')

3. 创建 kubeconfig

cat << EOF > readonly-kubeconfig
apiVersion: v1
kind: Config
current-context: ${CLUSTER_NAME}
contexts:
- name: ${CLUSTER_NAME}
  context:
    cluster: ${CLUSTER_NAME}
    user: readonly-serviceaccount
clusters:
- name: ${CLUSTER_NAME}
  cluster:
    certificate-authority-data: ${CLUSTER_CA_CERT}
    server: ${CLUSTER_ENDPOINT}
users:
- name: readonly-serviceaccount
  user:
    token: ${SA_SECRET_TOKEN}
EOF

Search

    Table of Contents