k8s创建ServiceAccount生成kubeconfig和token

2022-07-20 142 0

ServiceAccount 会限定命名空间

1. 创建角色权限

# dev-user-role-sa.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: dev-user
  namespace: dev-ns # 假设开发环境在 'dev-ns' 命名空间

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: dev-user-role
  namespace: dev-ns
rules:
  - apiGroups: [""]
    resources: ["pods", "services", "deployments", "configmaps", "secrets", "persistentvolumeclaims", "events"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # 允许 CRUD 核心资源
  - apiGroups: ["apps"]
    resources: ["deployments", "replicasets", "statefulsets", "daemonsets"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # 允许 CRUD 应用部署资源
  - apiGroups: ["batch"]
    resources: ["jobs", "cronjobs"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # 允许 CRUD 批处理作业
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses", "networkpolicies"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # 允许 CRUD 网络资源
  - apiGroups: ["autoscaling"]
    resources: ["horizontalpodautoscalers"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # 允许 CRUD HPA
  - apiGroups: [""]
    resources: ["pods/log", "pods/exec"] # 允许查看 Pod 日志和执行命令
    verbs: ["get", "create"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: dev-user-rolebinding
  namespace: dev-ns
subjects:
  - kind: ServiceAccount
    name: dev-user
    namespace: dev-ns
roleRef:
  kind: Role
  name: dev-user-role
  apiGroup: rbac.authorization.k8s.io
kubectl apply -f dev-user-role-sa.yaml

2.创建secret 关联serviceAccount生成Token

# dev-user-token-secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: dev-user-token
  namespace: dev-ns
  annotations:
    kubernetes.io/service-account.name: dev-user # 关联到 dev-user ServiceAccount
type: kubernetes.io/service-account-token
kubectl apply -f dev-user-token-secret.yaml

3.查看Token

root@k8s-ms-master:~# kubectl -n dev-ns describe serviceaccount dev-user
Name:                dev-user
Namespace:           dev-ns
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   <none>
Tokens:              dev-user-token
Events:              <none>

# token
root@k8s-ms-master:~# kubectl -n dev-ns get secret dev-user-token -o jsonpath="{.data.token}" | base64 -d

方式一:使用 Token 访问 Kubernetes Dashboard
方式二:使用 Kubeconfig 文件

apt-get install -y jq

CLUSTER_NAME=$(kubectl config view --minify -o jsonpath='{.clusters[0].name}')

CLUSTER_CA_CERT=$(kubectl config view --raw -o json | jq -r ".clusters[] | select(.name == \"$CLUSTER_NAME\") | .cluster.\"certificate-authority-data\"")

API_SERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')

TOKEN=$(kubectl -n dev-ns get secret dev-user-token -o jsonpath="{.data.token}" | base64 -d)

cat <<EOF > dev-user-kubeconfig.yaml
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: ${CLUSTER_CA_CERT}
    server: ${API_SERVER}
  name: ${CLUSTER_NAME}
contexts:
- context:
    cluster: ${CLUSTER_NAME}
    user: dev-user
    namespace: dev-ns
  name: dev-user-context
current-context: dev-user-context
kind: Config
preferences: {}
users:
- name: dev-user
  user:
    token: ${TOKEN}
EOF

4.测试

结果:只有dev-ns命名空间的权限,其他命名空间没权限

KUBECONFIG=./dev-user-kubeconfig.yaml kubectl get pods -n dev-ns

root@k8s-ms-master:~# KUBECONFIG=./dev-user-kubeconfig.yaml kubectl get pods -n dev-ns
No resources found in dev-ns namespace.
root@k8s-ms-master:~# KUBECONFIG=./dev-user-kubeconfig.yaml kubectl get pods -n default
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:dev-ns:dev-user" cannot list resource "pods" in API group "" in the namespace "default"

相关文章

kubespray 镜像加速配置
kubespray 离线安装自建配置
kubespray 安装kubernetes集群
kubernetes 部署argocd 自动同步项目代码
KubeSphere DevOps 流水线JAVA项目配置
虚拟机热添加内存 Kubernetes未生效

发布评论