自动创建kubeconfig并授权脚本

1,736次阅读
2 条评论

共计 15267 个字符,预计需要花费 39 分钟才能阅读完成。

自动创建kubeconfig并授权脚本

公司内部存在十多个k8s集群,版本低至1.12,高至1.20。目前还没有统一登录认证,以后也许会有。。。目前每个集群都是存在kubeadashboard,各项目组人员都只能通过这个操作集群资源(国企考虑东西过多,不考虑其他类似kubesphere/kuboard和其他国外面板等)。所以每次有项目增删改查或人员变动,对kubeconfig和权限操控都很繁琐,所以记录下改造脚本释放自己

使用CertificateSigningRequest资源创建

脚本一

[root@k8s-master kubeconfig]# cat create-user-kubeconfig.sh
#/bin/bash
namespace=$1
username=$2
dir=`mktemp -d ${username}.XXXXXXXX`
cd $dir

openssl genrsa -out ${username}.key 2048
openssl req -new -key ${username}.key -out ${username}.csr -subj "/CN=${username}"
cat >${username}-csr.yaml<<-EOF
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: ${username}
spec:
  request: `cat ${username}.csr | base64 | tr -d "\n"`
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - client auth
EOF

kubectl delete csr ${username} 2> /dev/null
kubectl apply -f ${username}-csr.yaml
kubectl certificate approve ${username}
kubectl get csr ${username} -o jsonpath='{.status.certificate}'| base64 -d > ${username}.crt
cat >${username}-rbac.yaml<<-EOF
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ${username}
  namespace: ${namespace}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: role-${username}
  namespace: ${namespace}
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ${username}-role-binding
  namespace: ${namespace}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: role-${username}
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: ${username}
- kind: ServiceAccount
  namespace: ${userspace}
  name: ${username}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: node-read-clusterrole
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  - namespaces
  verbs:
  - get
  - watch
  - list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: node-read-clusterrolebinding-${username}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: node-read-clusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: ${username}
- kind: ServiceAccount
  name: ${username}
  namespace: ${namespace}
EOF

kubectl apply -f ${username}-rbac.yaml
kubectl config view --raw | head -6 > config.${username}
kubectl config set-context ${username}@kubernetes --cluster=kubernetes --user=${username} --kubeconfig=config.${username}
kubectl config set-credentials ${username} --client-certificate=${username}.crt --client-key=${username}.key --embed-certs=true --kubeconfig=config.${username}
kubectl config use-context ${username}@kubernetes --kubeconfig=config.${username}
user_secret_name=`kubectl get secret -n ${namespace} | grep ${username}-token | awk '{print $1}'`
user_token=$(kubectl -n ${namespace} get secrets ${user_secret_name} -o jsonpath={.data.token} |base64 -d)
kubectl config set-credentials ${username} --token=${user_token} --kubeconfig=config.${username}

脚本二

[root@k8s-master kubeconfig]# cat create-user-kubeconfig.sh
#/bin/bash
namespace=$1
username=$2
dir=`mktemp -d ${username}.XXXXXXXX`
cd $dir

openssl genrsa -out ${username}.key 2048
openssl req -new -key ${username}.key -out ${username}.csr -subj "/CN=${username}"
# 此处高版本k8s集群可以识别expirationSeconds字段来控制证书过期
cat >${username}-csr.yaml<<-EOF
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: ${username}
spec:
  request: `cat ${username}.csr | base64 | tr -d "\n"`

  expirationSeconds: 86400  # one day
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - client auth
EOF

kubectl delete csr ${username} 2> /dev/null
kubectl apply -f ${username}-csr.yaml
kubectl certificate approve ${username}
kubectl get csr ${username} -o jsonpath='{.status.certificate}'| base64 -d > ${username}.crt
cat >${username}-rbac.yaml<<-EOF
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ${username}
  namespace: ${namespace}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: role-${username}
  namespace: ${namespace}
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ${username}-role-binding
  namespace: ${namespace}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: role-${username}
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: ${username}
- kind: ServiceAccount
  namespace: ${userspace}
  name: ${username}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: node-read-clusterrole
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  - namespaces
  verbs:
  - get
  - watch
  - list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: node-read-clusterrolebinding-${username}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: node-read-clusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: ${username}
- kind: ServiceAccount
  name: ${username}
  namespace: ${namespace}
EOF

kubectl apply -f ${username}-rbac.yaml
kubectl config view --raw | head -6 > config.${username}
kubectl config set-context ${username}@kubernetes --cluster=kubernetes --user=${username} --kubeconfig=config.${username}
kubectl config set-credentials ${username} --client-certificate=${username}.crt --client-key=${username}.key --embed-certs=true --kubeconfig=config.${username}
kubectl config use-context ${username}@kubernetes --kubeconfig=config.${username}
user_secret_name=`kubectl get secret -n ${namespace} | grep ${username}-token | awk '{print $1}'`
user_token=$(kubectl -n ${namespace} get secrets ${user_secret_name} -o jsonpath={.data.token} |base64 -d)
kubectl config set-credentials ${username} --token=${user_token} --kubeconfig=config.${username}

使用openssl方式创建

[root@k8s-master kubeconfig]# cat create-user-kubeconfig-v2.sh
#/bin/bash
namespace=$1
username=$2

ca_file="/etc/kubernetes/pki/ca.crt"
ca_key="/etc/kubernetes/pki/ca.key"
expire_day=3650

dir=`mktemp -d ${username}.XXXXXXXX`
cd $dir

openssl genrsa -out ${username}.key 2048
openssl req -new -key ${username}.key -out ${username}.csr -subj "/CN=${username}"
openssl x509 -req -in ${username}.csr -CA $ca_file -CAkey $ca_key -CAcreateserial -out ${username}.crt -days ${expire_day}

cat >${username}-rbac.yaml<<-EOF
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ${username}
  namespace: ${namespace}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: role-${username}
  namespace: ${namespace}
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ${username}-role-binding
  namespace: ${namespace}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: role-${username}
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: ${username}
- kind: ServiceAccount
  namespace: ${userspace}
  name: ${username}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: node-read-clusterrole
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  - namespaces
  verbs:
  - get
  - watch
  - list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: node-read-clusterrolebinding-${username}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: node-read-clusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: ${username}
- kind: ServiceAccount
  name: ${username}
  namespace: ${namespace}
EOF

kubectl apply -f ${username}-rbac.yaml
kubectl config view --raw | head -6 > config.${username}
kubectl config set-context ${username}@kubernetes --cluster=kubernetes --user=${username} --kubeconfig=config.${username}
kubectl config set-credentials ${username} --client-certificate=${username}.crt --client-key=${username}.key --embed-certs=true --kubeconfig=config.${username}
kubectl config use-context ${username}@kubernetes --kubeconfig=config.${username}
user_secret_name=`kubectl get secret -n ${namespace} | grep ${username}-token | awk '{print $1}'`
user_token=$(kubectl -n ${namespace} get secrets ${user_secret_name} -o jsonpath={.data.token} |base64 -d)
kubectl config set-credentials ${username} --token=${user_token} --kubeconfig=config.${username}

测试验证权限

测试创建kubeconfig

[root@k8s-master kubeconfig]# bash create-user-kubeconfig.sh default xadocker4
Generating RSA private key, 2048 bit long modulus
....+++
....+++
e is 65537 (0x10001)
certificatesigningrequest.certificates.k8s.io/xadocker4 created
certificatesigningrequest.certificates.k8s.io/xadocker4 approved
serviceaccount/xadocker4 created
role.rbac.authorization.k8s.io/role-xadocker4 created
rolebinding.rbac.authorization.k8s.io/xadocker4-role-binding created
clusterrole.rbac.authorization.k8s.io/node-read-clusterrole unchanged
clusterrolebinding.rbac.authorization.k8s.io/node-read-clusterrolebinding-xadocker4 created
Context "xadocker4@kubernetes" created.
User "xadocker4" set.
Switched to context "xadocker4@kubernetes".
User "xadocker4" set.

# 查看生成的kubeconfig文件
[root@k8s-master xadocker4.cPJiUwYK]# cat config.xadocker4
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EZ3hOREE0TlRFME9Wb1hEVE15TURneE1UQTROVEUwT1Zvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTjArCnRMOWhZWjFRSVZoYnlPQ0xsN0hOd21OT3FxeW9BUHAxdjRUaDJrZnhZVHptUnppc3VSdm1BOS9DL2JJdEE4cDEKR3JWcEhXWitvL1VUYU9zUjlOcmc5S2NBREdQcVAzbkFFeDNRSVRpaTZ1TWYvUFVvU09kUHRJbjRUOUVTVGM2MApsYWV1dE9RN1hBV1JmQ2N3cHA4cUFHWWM5QXkveGc4SDlxaVA5eHJtekRWeFl6UUdOUk5jQkNTR2huQkJ1WnhoCjVqLzFHUHZ5a2x4VWhLTGZEdTBTNVRCT0ZjcjNxU0FzNnl4alFmeCtLU0lVNmVqNkdEL1JYSm12UVNPMlI4b1oKVk1pcnRqK2NVR3EvUVErWXVMS1lXSWc5M255YWl3QXpCbzVkd2UyZ2NtemRBT2ZWRGJFVWw4anJQM2dTQ1EvVwpNTzdROVpZejRIUytkbXY1YXA4Q0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFBNngwUlNvaUdoTFU5TTVWNUV5Ymw4eDdCbksKb3ZqcHcwRndpM0dyZHkyczRYdzBMZEtXZDdlcmZKR2JyMk1WZm1FQ1lERTVLblJuVkF3WE9yQ1pueWNSTmhrSwpmNGc5SDZuMHQxam95T2piT1NKZkdHVWVnb01OaW1HREFYT3RrcDFyS1FNOU5CRkdBcW9YeUFDTXdWN0N5Q1BjClp0alh2MWlLcVJkSEEyam83ZU11VTRLMkMvRFlKTFNSVkcwSStjamRuYzN2a0hoMjBvaDVPdTR3NUhHRWhrci8KTjdCdVhwN2pRM1BKUjhUQmluWmxMS0JJZEdsOVNYay9ad29Fd1V3YzNMdFlrRGNjeVhuZmdkMmJORjVOYkVFbwo4Qm5WdnR6K1JSd0hFUUdFTTRDT0t1OWFHUHlUNFdmYU83bSsxaDhBYXBENVRYOVY0TTI3SHFpVnVWUT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://apiserver.demo:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: xadocker4
  name: xadocker4@kubernetes
current-context: xadocker4@kubernetes
kind: Config
preferences: {}
users:
- name: xadocker4
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMyRENDQWNDZ0F3SUJBZ0lRTUpZVU1SS3dQcTVaYjhuWXpxdUNuREFOQmdrcWhraUc5dzBCQVFzRkFEQVYKTVJNd0VRWURWUVFERXdwcmRXSmxjbTVsZEdWek1CNFhEVEl5TURneU1qRXpOVFl5TVZvWERUSXpNRGd5TWpFegpOVFl5TVZvd0ZERVNNQkFHQTFVRUF4TUplR0ZrYjJOclpYSTBNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF4K0hZNVN1VVduV0ZvY0NjYWdVeUhOejRpVjVEOTRyMFE5MExDZUJHMUxYRWVRTWgKUjdiNVIxSGUwN2NXcFNVSW8vM21GUjZFbmRxMC9abFpxWi80SGtBeE0wR24zT3NLU1RCcFcveEZXOFFWeDY2QgpRZkY5SER1blF0cHlPTlpRam10RkFxSmJzZDV6QlVMd2lIVnhOWmFIMVRPenE0b2cvNVZiNVZvSXYzOXA1T1h3CmJGNGd3U0NUVWFDVHJ2S0pzbVVhalcwcWdOblAxKysrU2VaQk5Za3VCQkU4QkFReGFzVGxzWXhxUWVzYmZhY0sKVTBFbDRFMWdhcFN0UkJYYy85ejNxRjkvWTQwZnFFbm9OekVFbWEwczBrQ2xhdk82SGd1T0lBdWpIS0p5VG1WQQpWWWw0L2R2NjBwTDh4Ylpmdm5UazB5bllXcXRqVW5VS0dONVhhd0lEQVFBQm95VXdJekFUQmdOVkhTVUVEREFLCkJnZ3JCZ0VGQlFjREFqQU1CZ05WSFJNQkFmOEVBakFBTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBYzJlbHAKNUVYNVZrd0NmcTFoK0NhUHlnK2xrR21CNmV3NE9PRmdrUXhsYjdVd3AzdUVDbEVhYjZBcktMUkYyMTRVbEJFUApub0NZVmVONHVRRWRUa2RJTGRhcUJUMnZOR3RxdXNEblUxT0o0WTBSU2Z2bHVoZm9acjIvdW5PVlh4M3MxdlQ2CmFET2dGWFdWRGkyb1luRXBSZVN2YzV6YytPekFOaTFucHRPWTVRZ09pb296cXJva3ZSQytwNkZCdjUvSnJqUW8KVzFMcmRMek52enY0YVowNXVNMHQreFNuQzZKU2pHSDN4eFNHKzd0aE9vTWk3dzVQZXR1SlBpeWJWaXpjT0FOVAo4R1hqcEpNUm1OblNrNi9xU2tOUzZUMDVNaW4zcnFRY292N0ZpZDIxNG1YN0xxcEkzdEFNSUo5NjczR0FJVVU5CmdOYUd1bE10Y25ack1XYUwKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBeCtIWTVTdVVXbldGb2NDY2FnVXlITno0aVY1RDk0cjBROTBMQ2VCRzFMWEVlUU1oClI3YjVSMUhlMDdjV3BTVUlvLzNtRlI2RW5kcTAvWmxacVovNEhrQXhNMEduM09zS1NUQnBXL3hGVzhRVng2NkIKUWZGOUhEdW5RdHB5T05aUWptdEZBcUpic2Q1ekJVTHdpSFZ4TlphSDFUT3pxNG9nLzVWYjVWb0l2MzlwNU9YdwpiRjRnd1NDVFVhQ1RydktKc21VYWpXMHFnTm5QMSsrK1NlWkJOWWt1QkJFOEJBUXhhc1Rsc1l4cVFlc2JmYWNLClUwRWw0RTFnYXBTdFJCWGMvOXozcUY5L1k0MGZxRW5vTnpFRW1hMHMwa0NsYXZPNkhndU9JQXVqSEtKeVRtVkEKVllsNC9kdjYwcEw4eGJaZnZuVGsweW5ZV3F0alVuVUtHTjVYYXdJREFRQUJBb0lCQURlZVJIZ2dWRHVIa0JPZQpRT2ZQWWs1ZHZscWEvRmFaTjdiYWZ3UFVnR0VYNHYrNU96MTFVSS9qM0JrVlRSdk8za1NqbGE0eXU3d2c2MVBWCm8vbHJKZU5sQVV1OTdUT3Z3MER5VTU3ZzUzdk5hRElVQUt1VXdyZGtjZnBNUnBSQ0xsQXkwUlVXa0dWQi9NZHUKQlBnemxialBsaVJoS3BHRThnR3NVZEhUNTdOQkJwaHFqME50RUI4dkhCSTZpaUlPczRLRFlRdWhubktBMHZ2VwpReVZZeUVXcnhIVEh2cmdoeDNLM1VGSzlFR0NjTmZieDNHV0NaSEI0cWczTmVvMDFZbHRhMUlUWDJad21nSzJWCk5wVFk3SHcwUXJxT3lESENnOWJIajdtVE5rS2pSSGM1Y241WWRHRmR1K1hQeEhySkNzZU5rYlMzcmgwTGRFUXIKOXhUUHgyRUNnWUVBOXlVdnhwamc4Z0pvbUFJZmZSQ1lHOUZVTjBaVUZqeXcyU3ZYZ2FUaDhhTGVRNE1FbHBMZwp5cUdtOEY2ZXdkK0tIZTQyV2twVGxmajJjdjlyK0pyYUc1UGhhbktPZkg0QmMwZkY0RVRka09sVVZoZ0xIdnFHClJDci91bWdpMUVPL080Wis1VWs3TGpFeExsajQ3VE9lc2RQTUdjMm4zOHArOTdFZ2xiVjVUMmNDZ1lFQXp3c3EKSDRXMmhWUTFObXVuLzBBc2F3M3lrbEhKSlEzZTRKaFB1dUdiU0ZuWE1NeXZLTHFGMTlCZ3l4L2R1UW5DL3pOYQpMZjZBSmoyRXRta1dnZHlBYjdXVkJNT0taSm92NklQcjZVSWdPTk0xRmFLTUw2ejZjQWtDbzVSaE01MkRRdnkyCmJ1M1VaeE1xVGI2c25YMGdUZzVCVjVoKzlJS1FCRkNGNFNVaktWMENnWUVBcjk4eG9XVDNacURhSjVvVEtGK2YKcnVRR3h4THdFYWI4dm42WmJIT1dLZXNadWZkSlU1R1FFQUo3RnNCdXYwNUJMazF2TmsrQUxkQXVLT1drd3hRSApNK3JIVllYUjZidU5jcWpYb21HL1Bqa2N2K3Q2Tm9CVy9ibVBvK29wSnQ1Uy9wd1dQem9ldUI5ZmZUanBZM3NCCmFsQnJCTTI1c2VLYStjNTlmcXZXZU84Q2dZQStJMWFvRVVSZkxZK3UzbzZULzltVTQ2RzZva3NoRU5Ha1RISVoKWDE1d1QyNVRHZ3N6eVE4a1gwaTlqYm5Jc0JKUzcwR1Fia0pkdDdiZDNCcENMVUJxeG0rTDkzZlFpNm4zT2FpUwo0Q0sxaTBYeVVVK0xlM25LS0JvZnFBZW9Ld3piRE9kZjBZY2V6RlMwOHBYeHlqem8wRVJ5R3JWM2dydmdYNTVlCm5QdTVqUUtCZ0EyaW9Nd2V0V3Z1M2NLTHcyQU9KTDBrYlpIa2sxOGZSS1F4LzFIbUtPUGtvUjE0V2l0Vm1yZ0EKSnpGajJSTUNpaFdiZ3pZMTloL2ZlT3BkV1gzdXhFV2F2SmZ2K3E2UmdxbnVXaWt3VkZhZ1VsVXNEUGFZVWo4Qgptdm81QlBXWWlyd0dPUGliYkE1YlRMaUdGS29DTU1BMFhBL0lRTEpKVFp2ZFlsQStlRm8yCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
    token: eyJhbGciOiJSUzI1NiIsImtpZCI6IlhwVm1DT2N6NVgwaERja3ZPa3NIQjAweFlGSm5nalh2T1JPOVV3RlVLNlUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InhhZG9ja2VyNC10b2tlbi01cXNiNiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJ4YWRvY2tlcjQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIyZjMxOTMwNC1hMDE1LTRkMzUtYTg0Mi0zYTZmZTAwZDAzODMiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDp4YWRvY2tlcjQifQ.Z_lTX2p5ZdcTkDdLyGKd7j8hy63VKa0N5Sj0E9r8JLGB_nkpYtoA7M-NAyecboFMfBz0Oc1WbnJR-hlZep0MgaA2jageK14mwMdmNOURuxD6UTeCgAnM8tpliaKIrtFWvi1Aa-E1DwalKOSlbTIMN1_KOfUhXg0aBftzRZv6O2zSmvxgadVbOh8PQHn5rGbmAFG7GO54VejDOqjS4uVvaoRSbabZKJVT11qG1pNs7YDI_AovVfCiLsB09HkoTDLiAPRLlmuAiyxw1KydB9h-TAwsfEiI9RXOsGJtOgtX_DE6fZwBwjoeqoEZ-VsQoghQZpuOmIakB1ReLxd7xRjqgg

测试验证权限

[root@k8s-master xadocker4.cPJiUwYK]# ll
total 28
-rw-r--r-- 1 root root 6294 Aug 22 22:01 config.xadocker4
-rw-r--r-- 1 root root 1046 Aug 22 22:01 xadocker4.crt
-rw-r--r-- 1 root root  891 Aug 22 22:01 xadocker4.csr
-rw-r--r-- 1 root root 1382 Aug 22 22:01 xadocker4-csr.yaml
-rw-r--r-- 1 root root 1675 Aug 22 22:01 xadocker4.key
-rw-r--r-- 1 root root 1176 Aug 22 22:01 xadocker4-rbac.yaml
[root@k8s-master xadocker4.cPJiUwYK]# kubectl get all -n default --kubeconfig=config.xadocker4
NAME                           READY   STATUS    RESTARTS   AGE
pod/grafana-5c858fffcb-drkh8   1/1     Running   2          3d22h

NAME                 TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                          AGE
service/grafana      NodePort    10.96.172.204   <none>        80:31230/TCP                     3d22h
service/jenkins      NodePort    10.96.115.162   <none>        8080:32593/TCP,50000:31243/TCP   6d23h
service/kubernetes   ClusterIP   10.96.0.1       <none>        443/TCP                          8d

NAME                      READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/grafana   1/1     1            1           3d22h

NAME                                 DESIRED   CURRENT   READY   AGE
replicaset.apps/grafana-5c858fffcb   1         1         1       3d22h

正文完
 1
xadocker
版权声明:本站原创文章,由 xadocker 2022-06-09发表,共计15267字。
转载说明:除特殊说明外本站文章皆由CC-4.0协议发布,转载请注明出处。
评论(2 条评论)
luckfiy 评论达人 LV.1
2022-10-07 14:37:41 回复

可以,正好在捣腾k8s用户权限

 Windows  Chrome  中国广东省广州市电信
    Avatar photo
    xadocker 博主
    2022-10-07 14:40:33 回复

    @luckfiy 嗯,但是这个方式还是不够优雅,低版本集群scr只能创建一年证书,看来只有用openssl方式去创建短时间的证书

     Windows  Chrome  中国广东省广州市电信