管理多个kubernetes集群的配置:

先使用命令创建出一个模板:

# uat
kubectl config set-cluster uat --server=https://uat-master:6443 --certificate-authority="" --kubeconfig=config
kubectl config set-credentials uat --client-certificate="" --client-key="" --kubeconfig=config
kubectl config set-context uat --cluster=uat --user=uat --kubeconfig=config
kubectl config use-context uat --kubeconfig=config

# prd
kubectl config set-cluster prd --server=https://prd-master:6443 --certificate-authority="" --kubeconfig=config
kubectl config set-credentials prd --client-certificate="" --client-key="" --kubeconfig=config
kubectl config set-context prd --cluster=prd --user=prd --kubeconfig=config
kubectl config use-context prd --kubeconfig=config

得到的内容如下:

apiVersion: v1
clusters:
- cluster:
    certificate-authority: .
    server: https://uat-master:6443
  name: uat
- cluster:
    certificate-authority: .
    server: https://prd-master:6443
  name: prd
contexts:
- context:
    cluster: uat
    user: uat
  name: uat
- context:
    cluster: prd
    user: prd
  name: prd
current-context: prd
kind: Config
preferences: {}
users:
- name: uat
  user:
    client-certificate: .
    client-key: .
- name: prd
  user:
    client-certificate: .
    client-key: .

        把 certificate-authority、client-certificate、client-key 替换成 certificate-authority-data、client-certificate-data、client-key-data,并将点“.”替换成对应的秘钥。如果有证书在创建配置的时候指定证书即可。

创建快捷方式:

cat >> .bashrc <<EOF
alias pro='kubectl config use-context pro'
alias uat='kubectl config use-context uat'
EOF

切换集群:

~$ uat
Switched to context "uat".


创建只有部分权限的账号:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: setimage
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  - endpoints
  - persistentvolumeclaims
  - pods
  - replicationcontrollers
  - replicationcontrollers/scale
  - serviceaccounts
  - services
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - bindings
  - events
  - limitranges
  - namespaces/status
  - pods/log
  - pods/status
  - replicationcontrollers/status
  - resourcequotas
  - resourcequotas/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps
  resources:
  - controllerrevisions
  - daemonsets
  - deployments
  - deployments/scale
  - replicasets
  - replicasets/scale
  - statefulsets
  - statefulsets/scale
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - patch
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - batch
  resources:
  - cronjobs
  - jobs
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  resources:
  - daemonsets
  - deployments
  - deployments/scale
  - ingresses
  - networkpolicies
  - replicasets
  - replicasets/scale
  - replicationcontrollers/scale
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  - networkpolicies
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - persistentvolumeclaims/status
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - persistentvolumeclaims/status
  verbs:
  - list
- apiGroups:
  - ""
  resources:
  - persistentvolumeclaims/status
  verbs:
  - watch
- apiGroups:
  - ""
  resources:
  - services/status
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - services/status
  verbs:
  - list
- apiGroups:
  - ""
  resources:
  - services/status
  verbs:
  - watch
- apiGroups:
  - apps
  resources:
  - daemonsets/status
  verbs:
  - get
- apiGroups:
  - apps
  resources:
  - daemonsets/status
  verbs:
  - list
- apiGroups:
  - apps
  resources:
  - daemonsets/status
  verbs:
  - watch
- apiGroups:
  - apps
  resources:
  - deployments/status
  verbs:
  - get
- apiGroups:
  - apps
  resources:
  - deployments/status
  verbs:
  - list
- apiGroups:
  - apps
  resources:
  - deployments/status
  verbs:
  - watch
- apiGroups:
  - apps
  resources:
  - replicasets/status
  verbs:
  - get
- apiGroups:
  - apps
  resources:
  - replicasets/status
  verbs:
  - list
- apiGroups:
  - apps
  resources:
  - replicasets/status
  verbs:
  - watch
- apiGroups:
  - apps
  resources:
  - statefulsets/status
  verbs:
  - get
- apiGroups:
  - apps
  resources:
  - statefulsets/status
  verbs:
  - list
- apiGroups:
  - apps
  resources:
  - statefulsets/status
  verbs:
  - watch
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers/status
  verbs:
  - get
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers/status
  verbs:
  - list
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers/status
  verbs:
  - watch
- apiGroups:
  - batch
  resources:
  - cronjobs/status
  verbs:
  - get
- apiGroups:
  - batch
  resources:
  - cronjobs/status
  verbs:
  - list
- apiGroups:
  - batch
  resources:
  - cronjobs/status
  verbs:
  - watch
- apiGroups:
  - batch
  resources:
  - jobs/status
  verbs:
  - get
- apiGroups:
  - batch
  resources:
  - jobs/status
  verbs:
  - list
- apiGroups:
  - batch
  resources:
  - jobs/status
  verbs:
  - watch
- apiGroups:
  - extensions
  resources:
  - daemonsets/status
  verbs:
  - get
- apiGroups:
  - extensions
  resources:
  - daemonsets/status
  verbs:
  - list
- apiGroups:
  - extensions
  resources:
  - daemonsets/status
  verbs:
  - watch
- apiGroups:
  - extensions
  resources:
  - deployments/status
  verbs:
  - get
- apiGroups:
  - extensions
  resources:
  - deployments/status
  verbs:
  - list
- apiGroups:
  - extensions
  resources:
  - deployments/status
  verbs:
  - watch
- apiGroups:
  - extensions
  resources:
  - ingresses/status
  verbs:
  - get
- apiGroups:
  - extensions
  resources:
  - ingresses/status
  verbs:
  - list
- apiGroups:
  - extensions
  resources:
  - ingresses/status
  verbs:
  - watch
- apiGroups:
  - extensions
  resources:
  - replicasets/status
  verbs:
  - get
- apiGroups:
  - extensions
  resources:
  - replicasets/status
  verbs:
  - list
- apiGroups:
  - extensions
  resources:
  - replicasets/status
  verbs:
  - watch
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets/status
  verbs:
  - get
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets/status
  verbs:
  - list
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets/status
  verbs:
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses/status
  verbs:
  - get
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses/status
  verbs:
  - list
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses/status
  verbs:
  - watch
- apiGroups:
  - metrics.k8s.io
  resources:
  - pods
  - nodes
  verbs:
  - get
  - list
  - watch

创建serviceaccount:

kubectl create serviceaccounts setimage

创建secret:在k8s的1.24版本中要手动创建Secret。

cat >> setimage-secret.yaml <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: setimage
  annotations:
    kubernetes.io/service-account.name: setimage
type: kubernetes.io/service-account-token
EOF

创建clusterrolebinding:

kubectl create clusterrolebinding setimage --clusterrole=setimage --serviceaccount=default:setimage

将token绑定到kubeconfig:

查看token:

]# kubectl describe sa setimage 
Name:                setimage
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   <none>
Tokens:              setimage # 查看这个token
Events:              <none>
[root@master loan]# kubectl describe secrets setimage # 复制token字段的一长串token

粘贴到kubeconfig的token字段:

apiVersion: v1
clusters:
- cluster:
    server: https://101.132.170.80:6443
    certificate-authority-data: LS0tLS1......
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: "kubernetes-admin"
  name: kubernetes-admin-c378b534fa46a49a6a8f73a69a379c9af
current-context: kubernetes-admin-c378b534fa46a49a6a8f73a69a379c9af
kind: Config
preferences: {}
users:
- name: "kubernetes-admin"
  user:
    token: eyJhbGci......