一、基于ServiceAccount生成kubeconfig¶
基于ServiceAccount生成Kubeconfig,需要先为ServiceAccount生成一个Token,可以使用保存在Secret中的Token。
环境准备工作:
# 创建sa
[root@k8s-master01 ~]# k create sa zq
# 创建secret
[root@k8s-master01 ~]# vim zq-token-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: zq-token-secret
annotations:
kubernetes.io/service-account.name: zq
type: kubernetes.io/service-account-token
[root@k8s-master01 ~]# kaf zq-token-secret.yaml
1、获取APIServer地址
# 定义变量
serverAddr=$(kubectl cluster-info | awk '/Kubernetes control plane/{print $NF}')
# 输出变量
echo $serverAddr
2、获取当前ServiceAccount的CA证书和Token
serviceaccountName="zq"
secretName="zq-token-secret"
ca=$(kubectl get secret/$secretName -o jsonpath='{.data.ca\.crt}')
token=$(kubectl get secret/$secretName -o jsonpath='{.data.token}'| base64 --decode)
3、生成kubeconfig
cat <<EOF > "${serviceaccountName}-kubeconfig.yaml"
apiVersion: v1
kind: Config
clusters:
- name: default-cluster
cluster:
server: ${serverAddr}
certificate-authority-data: ${ca}
users:
- name: ${serviceaccountName}
user:
token: ${token}
contexts:
- name: ${serviceaccountName}-context
context:
cluster: default-cluster
user: ${serviceaccountName}
namespace: default
current-context: ${serviceaccountName}-context
EOF
验证进行查看
[root@k8s-master01 ~]# cat zq-kubeconfig.yaml
apiVersion: v1
kind: Config
clusters:
- name: default-cluster
cluster:
server: https://10.0.0.20:6443
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJTGpTcUk2d3pUTzR3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TlRBek1UUXdNVEUyTXpOYUZ3MHpOVEF6TVRJd01USXhNek5hTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUURENWVwRGw4THZxRjgyeHNnUVp4VDA1VjZ6RFV4TUpmVStFSWk4SGRzRllpdXV1RmxiaGh6Q2JWNHEKVDNHdTFKRDhHeVJoOXVudjBydFhmV0cxUXBxRENySXhGLzBTSFZNb1Rrbys0ZStUUlNIQ3piaW5HaHhlMTRnSwpKWFNYeVRoUjZxR0VCTUhDcTNUajlBY2Nwbi90Q1BVQ3o3dkJBRXpzOEFFbTF2QVc4eEhOaDQrRHA4Mm1TaTdECjlmVzI1b2hsZ2VBSjIrRERhRzM2MVhlSXU5Q2xsNGJNeTBoZlpqTWJNc0lUNjZ4TXpuK29ZZlBpUzdRN0QxWFgKdy9IZ1JnbDdLTEx6cmcwZzNqV0JkdjhWcTNWSEMwcXI0bkplTFAzQ1ppdWZvYXZDZnlYaGt0RDhFcm81MVMrMQpSRlk2YmVvVDBXNHpNcFFMWllocEk3K0htcjgvQWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJTWnhaUzJmcklYejBiSkNBY0tFTndpd05KdWh6QVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQXZjNGZMdUF1eQo0aWU1elpHei81MXZKd1RzV0dBMVZiUGhXWVFLSnV0cFRCM3ZOb2NrYTBScVlyQ09GS3BQdUpRMWwrVmNaY0NSCmhWdTFxcFpnMmxiM1RyU29yaHZhUldVYVhtNWlGRFRDVHNIU1JYbWtpVitqN2h3QXNxRmpMRHh5MHdPbWlRZHEKTzBLUEMxNHM0RVI2QURYQnRqeGxsTGxSTVZmU2hjTm00d3NYc1RHRVd0V1Q0aHhMTEx4TWtrMkxoekMycWZRRwo4ZkM3bjJDSWF5TmVxLytjNUZyRXkzQlFuR2h5bWRic0dMTzN3WXlFUzdEZVBuUmo2TlQwNkplY0ZHM0hVT2tnClQxN1dWckUrMzBkdVFpOXB4UXdOQkdsRW9BTHVndEZVY3c5YzdhbjBFQWR4T2IwcGJKMGZqWTg5UFhuY3lORFQKNEFqbDJRK0JKWFBHCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
users:
- name: zq
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IjdxMWhLWkVpd0t3ZVpNNmdNNmhJdkdOaldfVzA0MTJySm84ZkpMbFhvLVkifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InpxLXRva2VuLXNlY3JldCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJ6cSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjAwMjRlN2JiLWZlMjktNGQ5NS1hNWM0LTcyMzAwZjI3MTQ4MSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OnpxIn0.PxiDjkNTRticLwqsMwFtLFT2lSmGzgzAe2MWpq_HGEnN3kCKMjIzvFQnGvoXcMEOQiDOtJz5zsAgjOUWZ_vTAWTYv5cbPzWvz1-bMhECXEmmGX0LpGqRGefGuYPhYzDViyEQvm4XIQayTXkQ6H7uuyLzIXsNDxT2CjLokATExerrLRDVfF_vEEIlHw-QgYXg91nim11VmJnMf_oczIgt9aJEHQvp4kNLUO3X35520aEF5OY-jmMNowfzSSdeb2vpu9uJKPvSMeFeshoI_5_1XsAGUtuAa05E7QS47grr4SglX0UXJ5RyBV79IPbFUAKOT9ocfi87XlPiuviCsgsMjg
contexts:
- name: zq-context
context:
cluster: default-cluster
user: zq
namespace: default
current-context: zq-context
除了上面手动生成外,还可以通过脚本来实现相同的目的
vim deploy-kubeconfig.sh
serviceaccountName="zq"
secretName="zq-token-secret"
serverAddr=$(kubectl cluster-info | awk '/Kubernetes control plane/{print $NF}')
cat <<EOF > "${serviceaccountName}-kubeconfig.yaml"
apiVersion: v1
kind: Config
clusters:
- name: default-cluster
cluster:
server: ${serverAddr}
certificate-authority-data: ${ca}
users:
- name: ${serviceaccountName}
user:
token: ${token}
contexts:
- name: ${serviceaccountName}-context
context:
cluster: default-cluster
user: ${serviceaccountName}
namespace: default
current-context: ${serviceaccountName}-context
EOF
4、生成后即可使用新的kubeconfig来操作集群,这里提示没有授权
[root@k8s-master01 ~]# kubectl get po --kubeconfig zq-kubeconfig.yaml
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:default:zq" cannot list resource "pods" in API group "" in the namespace "default"
5、添加临时授权并重新尝试
[root@k8s-master01 ~]# kubectl create rolebinding zq-view \
--clusterrole=view \
--serviceaccount=default:zq \
--namespace=default
# 重新尝试,观察到临时授权成功
[root@k8s-master01 ~]# kubectl get po --kubeconfig zq-kubeconfig.yaml
No resources found in default namespace.