管理多个kubernetes集群的配置:

先使用命令创建出一个模板:

# uat
kubectl config set-cluster uat --server=https://uat-master:6443 --certificate-authority="" --kubeconfig=config
kubectl config set-credentials uat --client-certificate="" --client-key="" --kubeconfig=config
kubectl config set-context uat --cluster=uat --user=uat --kubeconfig=config
kubectl config use-context uat --kubeconfig=config

# prd
kubectl config set-cluster prd --server=https://prd-master:6443 --certificate-authority="" --kubeconfig=config
kubectl config set-credentials prd --client-certificate="" --client-key="" --kubeconfig=config
kubectl config set-context prd --cluster=prd --user=prd --kubeconfig=config
kubectl config use-context prd --kubeconfig=config

得到的内容如下:

apiVersion: v1
clusters:
- cluster:
    certificate-authority: .
    server: https://uat-master:6443
  name: uat
- cluster:
    certificate-authority: .
    server: https://prd-master:6443
  name: prd
contexts:
- context:
    cluster: uat
    user: uat
  name: uat
- context:
    cluster: prd
    user: prd
  name: prd
current-context: prd
kind: Config
preferences: {}
users:
- name: uat
  user:
    client-certificate: .
    client-key: .
- name: prd
  user:
    client-certificate: .
    client-key: .

        把 certificate-authority、client-certificate、client-key 替换成 certificate-authority-data、client-certificate-data、client-key-data,并将点“.”替换成对应的秘钥。如果有证书在创建配置的时候指定证书即可。

创建快捷方式:

cat >> .bashrc <<EOF
alias pro='kubectl config use-context pro'
alias uat='kubectl config use-context uat'
EOF

切换集群:

~$ uat
Switched to context "uat".


创建只有部分权限的账号:

        集群里一般会有创建好的view、edit、cluster-admin这几个clusterrole,想定制权限,只需要导出并在此基础上编辑即可。

kubectl get clusterrole view -o yaml > setimageclusterrole.yaml

添加如下这段:增加了编辑 deployments 资源的权限,可用来发版等操作。

- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - create
  - patch
  - update

或者用edit:再删除资源文件中的 delete、deletecollection,这样就只有编辑权限了。

kubectl get clusterrole edit -o yaml > clusterrole-edit.yaml

创建serviceaccount:

kubectl create serviceaccounts setimage

创建secret:在k8s的1.24版本中要手动创建Secret。

cat >> setimage-secret.yaml <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: setimage
  annotations:
    kubernetes.io/service-account.name: setimage
type: kubernetes.io/service-account-token
EOF

创建clusterrolebinding:

kubectl create clusterrolebinding setimage --clusterrole=setimage --serviceaccount=default:setimage

将token绑定到kubeconfig:

查看token:

]# kubectl describe sa setimage 
Name:                setimage
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   <none>
Tokens:              setimage # 查看这个token
Events:              <none>
[root@master loan]# kubectl describe secrets setimage # 复制token字段的一长串token

创建配置文件:

kubectl --kubeconfig=kubeconfig config set-cluster kubernetes --server="https://192.168.1.31:6443" --certificate-authority=""
kubectl --kubeconfig=kubeconfig config set-credentials customconfig --token="eyJhbGci......emxC6A"
kubectl --kubeconfig=kubeconfig config set-context customconfig@kubernetes --cluster=kubernetes --user=customconfig
kubectl --kubeconfig=kubeconfig config use-context customconfig@kubernetes

粘贴到kubeconfig的token字段:

#!/bin/bash

SERVER=$1
CERTIFICATE_AUTHORITY_DATA=$2
TOKEN=$3

mkdir /root/.kube/ -pv
cat > /root/.kube/config <<EOF
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: $CERTIFICATE_AUTHORITY_DATA
    server: $SERVER
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: setimage
  name: setimage@kubernetes
current-context: setimage@kubernetes
kind: Config
preferences: {}
users:
- name: setimage
  user:
    token: $TOKEN
EOF