主要记录一下自己写的拼凑 kubeconfig 的脚本
由于很难写成一个可定制化的东西, 当前先记录脚本按需求改改吧
使用 SA 的 Token
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
| #!/usr/bin/env bash
NAME=${NAME:-"readonly-kubeconfig"}
NAMESPACE=${NAMESPACE:-"default"}
kubectl apply -f - 1>&2 <<EOF
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: ${NAME}
namespace: ${NAMESPACE}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ${NAME}
rules:
- apiGroups:
- "*"
resources:
- "*"
verbs:
- "get"
- "list"
- "watch"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ${NAME}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ${NAME}
subjects:
- kind: ServiceAccount
name: ${NAME}
namespace: ${NAMESPACE}
---
EOF
SECRET_NAME="$(kubectl get sa -n ${NAMESPACE} ${NAME} -o 'jsonpath={$.secrets[0].name}')"
CA_CRT="$(kubectl get secret -n ${NAMESPACE} ${SECRET_NAME} -o 'jsonpath={$.data.ca\.crt}')"
TOKEN="$(kubectl get secret -n ${NAMESPACE} ${SECRET_NAME} -o 'jsonpath={$.data.token}' | base64 --decode)"
APISERVER_ADDRESS=${APISERVER_ADDRESS:-"$(kubectl get cm -n kube-public cluster-info -o yaml | grep 'server: ' | sed 's/server: //' | sed 's/ *//g')"}
cat <<EOF
apiVersion: v1
kind: Config
current-context: ${NAME}
clusters:
- cluster:
certificate-authority-data: ${CA_CRT}
server: ${APISERVER_ADDRESS}
name: ${NAME}
contexts:
- context:
cluster: ${NAME}
user: ${NAME}
name: ${NAME}
users:
- name: ${NAME}
user:
token: ${TOKEN}
EOF
|
使用 CSR 签证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
| #!/usr/bin/env bash
NAME=${NAME:-"readonly-kubeconfig"}
openssl genrsa -out "${NAME}.key" 2048
CSR="$(openssl req -new -key "${NAME}.key" -subj "/CN=${NAME}" | base64 | tr -d '\n')"
kubectl delete csr "${NAME}" 1>&2
kubectl apply -f - 1>&2 <<EOF
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ${NAME}
rules:
- apiGroups:
- "*"
resources:
- "*"
verbs:
- "get"
- "list"
- "watch"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ${NAME}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ${NAME}
subjects:
- kind: User
name: ${NAME}
apiGroup: rbac.authorization.k8s.io
---
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: ${NAME}
spec:
request: ${CSR}
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
---
EOF
kubectl certificate approve "${NAME}" 1>&2
CA_CRT="$(kubectl get cm -n kube-public kube-root-ca.crt -o 'jsonpath={$.data.ca\.crt}' | base64 | tr -d '\n')"
CLIENT_CRT="$(kubectl get csr "${NAME}" -o jsonpath='{$.status.certificate}')"
CLIENT_KEY="$(cat ${NAME}.key | base64 | tr -d '\n')"
APISERVER_ADDRESS=${APISERVER_ADDRESS:-"$(kubectl get cm -n kube-public cluster-info -o yaml | grep 'server: ' | sed 's/server: //' | sed 's/ *//g')"}
cat <<EOF
apiVersion: v1
kind: Config
current-context: ${NAME}
clusters:
- cluster:
certificate-authority-data: ${CA_CRT}
server: ${APISERVER_ADDRESS}
name: ${NAME}
contexts:
- context:
cluster: ${NAME}
user: ${NAME}
name: ${NAME}
users:
- name: ${NAME}
user:
client-certificate-data: ${CLIENT_CRT}
client-key-data: ${CLIENT_KEY}
EOF
|
生成 csr 的 -subj 的参数, CN 字段作为 User, O 字段作为 Group
使用 ca 私钥签证书
主体流程同上一个, 唯一不同的就是不再使用 k8s 的 CSR 资源签证书, 而是直接使用集群的 ca 私钥签. 对于权限需要较高, 不推荐使用.