kubectl kubeconfig管理多集群
来源:原创
时间:2020-06-11
作者:脚本小站
分类:云原生
管理多个kubernetes集群的配置:
先使用命令创建出一个模板:
# uat kubectl config set-cluster uat --server=https://uat-master:6443 --certificate-authority="" --kubeconfig=config kubectl config set-credentials uat --client-certificate="" --client-key="" --kubeconfig=config kubectl config set-context uat --cluster=uat --user=uat --kubeconfig=config kubectl config use-context uat --kubeconfig=config # prd kubectl config set-cluster prd --server=https://prd-master:6443 --certificate-authority="" --kubeconfig=config kubectl config set-credentials prd --client-certificate="" --client-key="" --kubeconfig=config kubectl config set-context prd --cluster=prd --user=prd --kubeconfig=config kubectl config use-context prd --kubeconfig=config
得到的内容如下:
apiVersion: v1 clusters: - cluster: certificate-authority: . server: https://uat-master:6443 name: uat - cluster: certificate-authority: . server: https://prd-master:6443 name: prd contexts: - context: cluster: uat user: uat name: uat - context: cluster: prd user: prd name: prd current-context: prd kind: Config preferences: {} users: - name: uat user: client-certificate: . client-key: . - name: prd user: client-certificate: . client-key: .
把 certificate-authority、client-certificate、client-key 替换成 certificate-authority-data、client-certificate-data、client-key-data,并将点“.”替换成对应的秘钥。如果有证书在创建配置的时候指定证书即可。
创建快捷方式:
cat >> .bashrc <<EOF alias pro='kubectl config use-context pro' alias uat='kubectl config use-context uat' EOF
切换集群:
~$ uat Switched to context "uat".
创建只有部分权限的账号:
集群里一般会有创建好的view、edit、cluster-admin这几个clusterrole,想定制权限,只需要导出并在此基础上编辑即可。
kubectl get clusterrole view -o yaml > setimageclusterrole.yaml
添加如下这段:增加了编辑 deployments 资源的权限,可用来发版等操作。
- apiGroups: - apps resources: - deployments verbs: - create - patch - update
或者用edit:再删除资源文件中的 delete、deletecollection,这样就只有编辑权限了。
kubectl get clusterrole edit -o yaml > clusterrole-edit.yaml
创建serviceaccount:
kubectl create serviceaccounts setimage
创建secret:在k8s的1.24版本中要手动创建Secret。
cat >> setimage-secret.yaml <<EOF apiVersion: v1 kind: Secret metadata: name: setimage annotations: kubernetes.io/service-account.name: setimage type: kubernetes.io/service-account-token EOF
创建clusterrolebinding:
kubectl create clusterrolebinding setimage --clusterrole=setimage --serviceaccount=default:setimage
将token绑定到kubeconfig:
查看token:
]# kubectl describe sa setimage Name: setimage Namespace: default Labels: <none> Annotations: <none> Image pull secrets: <none> Mountable secrets: <none> Tokens: setimage # 查看这个token Events: <none> [root@master loan]# kubectl describe secrets setimage # 复制token字段的一长串token
创建配置文件:
kubectl --kubeconfig=kubeconfig config set-cluster kubernetes --server="https://192.168.1.31:6443" --certificate-authority="" kubectl --kubeconfig=kubeconfig config set-credentials customconfig --token="eyJhbGci......emxC6A" kubectl --kubeconfig=kubeconfig config set-context customconfig@kubernetes --cluster=kubernetes --user=customconfig kubectl --kubeconfig=kubeconfig config use-context customconfig@kubernetes
粘贴到kubeconfig的token字段:
#!/bin/bash SERVER=$1 CERTIFICATE_AUTHORITY_DATA=$2 TOKEN=$3 mkdir /root/.kube/ -pv cat > /root/.kube/config <<EOF apiVersion: v1 clusters: - cluster: certificate-authority-data: $CERTIFICATE_AUTHORITY_DATA server: $SERVER name: kubernetes contexts: - context: cluster: kubernetes user: setimage name: setimage@kubernetes current-context: setimage@kubernetes kind: Config preferences: {} users: - name: setimage user: token: $TOKEN EOF