在很多时候,开发人员需要查看服务部署的详细信息,但不需要写权限,这时,我们就可以生成只读的kubeconfig文件
1. 下载安装cfssl工具
https://github.com/cloudflare/cfssl,cfssl采用go编写,需要在本地有go环境,然后根据github的文档就行编译即可
2. 创建证书文件
cat readonly-ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
创建ca证书签名请求文件
cat readonly-csr.json
{
"CN": "readonly",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "bj",
"L": "bj",
"O": "readonly-group",
"OU": "System"
}
]
}
CN:为Common Name,api-server会取cn字段作为User名称(k8s本身不维护User信息)
O:Organization,api-server从证书中取该字段作为Group名称
生成CA证书和私钥
ca.crt:master节点上/etc/kubernetes/pki文件夹下的证书(k8s的根证书RootCA)
ca.key: master节点上/etc/kubernetes/pki文件夹下的私钥(k8s的根证书的私钥)
cfssl gencert -ca=./ca.crt -ca-key=./ca.key -config=./read-ca-config.json -profile=kubernetes readonly-csr.json | cfssljson -bare readonly
回生成如下几个文件:
readonly-key.pem # 私钥
readonly.csr # 签名请求
readonly.pem # 证书
生成kubeconfig文件
readonly.conf文件中的cluster信息需要从其他文件中拷贝过来(如admin.conf,搭建k8s集群时会生成admin证书)
# 拷贝admin文件信息到readonly
cat admin.conf > readonly.conf
# 设置用户信息
kubectl config set-credentials readonly --client-certificate=readonly.pem --client-key=readonly-key.pem --embed-certs=true --kubeconfig=readonly.conf
# 设置上下文信息
kubectl config set-context kubernetes --cluster=kubernetes --user=readonly --kubeconfig=readonly.conf
# 设置当前的上下文
kubectl config use-context kubernetes --kubeconfig=readonly.conf
在k8s集群中创建readonly-group用户组并绑定view角色
cat readonly.yaml
view clusterrole是k8s默认的集群只读的角色,也可以自己创建role或者clusterrole
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: readonly
subjects:
- kind: Group
name: readonly-group
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io
执行完apply之后,view和readonly-group的就做了角色绑定了
kubectl apply -f readonly.yaml
使用kubectl --kubeconfig=readonly.conf get pods 不报错,说明readonly文件就生成成功了
