Bboysoul's Blog

首页 公告 项目 RSS

kubernetes创建serviceaccount

September 23, 2024 本文有 646 个字 需要花费 2 分钟阅读

简介

在某些场景中,我们可能需要为开发人员创建一个带有特定权限的 kubeconfig 文件,以便他们能够访问 Kubernetes 集群。本文将详细介绍如何创建一个具备指定权限的 kubeconfig。

操作步骤

1. 创建命名空间

首先创建一个新的命名空间:

kubectl create namespace myspace

2. 创建 ServiceAccount

接下来,为新命名空间创建一个 ServiceAccount:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: bboysoul
  namespace: myspace

3. 创建 Role

定义一个具有所需权限的 Role:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: bboysoul-role
  namespace: myspace
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

4. 创建 RoleBinding

将 Role 绑定到 ServiceAccount:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: bboysoul-rolebinding
  namespace: myspace
subjects:
- kind: ServiceAccount
  name: bboysoul
  namespace: myspace
roleRef:
  kind: Role
  name: bboysoul-role
  apiGroup: rbac.authorization.k8s.io

5. 创建 Secret

创建一个与 ServiceAccount 关联的 Secret:

apiVersion: v1
kind: Secret
metadata:
  name: bboysoul-sc
  namespace: myspace
  annotations:
    kubernetes.io/service-account.name: "bboysoul"
type: kubernetes.io/service-account-token

6. 生成 kubeconfig

从 Secret 中获取 certificate-authority-datatoken。模版如下:

apiVersion: v1
kind: Config
clusters:
- cluster:
    certificate-authority-data: <your-ca.crt>
    server: https://<your-k8s-api-server>:6443
  name: kind
contexts:
- context:
    cluster: kind
    namespace: myspace
    user: bboysoul
  name: kind
current-context: kind
users:
- name: bboysoul
  user:
    token: <your-token>

首先拿到certificate-authority-data

kubectl get secret bboysoul-sc -n myspace -o yaml

apiVersion: v1
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJWDN1ZTFZZUZBbEF3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TkRBNU1qTXdOalUwTkRKYUZ3MHpOREE1TWpFd05qVTVOREphTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUURIRDAzdVZDVndWb09ZM1JqVGNNNUtQS1ZNMzZaQmVoWlhRamluSFQ2ekdHRXcrUHBnRzl0SlFaZFAKekNqYzFnNmhzaFY1Q3c1SGwyaFR4S0d1NWtXQ01lT1ZIeXZLcWc1MlNKajc3VUIvcUhocnhnODRoVEZCUm9NbwpZYjBIZkw2THdnNEhUWHMrblUvWkFacnlhZS8yM0hMSGFVbmNyVTVNdXhIZFc1aTdzd1g2MkQrbnJKNXltTHlmCkFweGl6aDI4cWtmWXdBdTIzdnpYYUExYTdYZy96Nm5tSGZ1aVZFVUlRUnpZRkcyNzVFaUwvVzdNb1pLNThoa0oKNnNiL0kvVjgwQzB6SzRleHcvYTZvM2lyNExaOFBGaUNNWmhLV2ZkYWVLNmZ0SzZoS09qREhnZHVTK0UvdjhTcwowbUorVWR6cmZQSkZBQTlzNi92Z2M1U2JQSGgvQWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJTL0ZjRmtTUDVydEFBSTZ1ZE1nenpaaFEyTU96QVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ3RjZzNZeHE4Zwp5M2kwN1JXNlF2K1ZnNGJ1ZVVQY1pXN3BWVUk2ODE4ajQzWnUvblZLQ2tqeE5vbEZtdHUvYk9hVU5hb3V5bWNlCmRoQURzbkhjcHkxUDZDYnFmeTBpeExZNTQ0cmxCYUpTTDloWTJ6aFY1bjcrMTVkUFdkcUMzbGZob05JNEZZVlMKL3ovL2s2TWJtUWxONG1Ob2pHSTM2Q0Q4TTc2RzBDZTk4ZUZkcXpodFN2QVQ3ZTh2ejVJNUlia21IM2hYZEx5UwpSVmE5NUU0cmVydHFuc3JzME1pajZSUUtXM0w2YThVRkZTUld2c0UvemZrRUNIWWxJRzZkdm96ZDRGa1M1YjhjCnE2UWFyLzNoOGJxdUlyd2FoN3A0TmNqNlp6blVzZ1ViMUtYdHcxMzBGUTVUdlVNQ2Nmd2Q5NzZiTTlzYXpQZlAKTTJ6b3gxM1lKbFBnCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
namespace: bXlzcGFjZQ==
token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNkltbFlSMnBVVW1GSVF6RTRUV1p4TFY5eVFsaEZMVEV4UTNGWGIxaEJRek15YzNOcFZXTmllR1ozWlc4aWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUp0ZVhOd1lXTmxJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbUppYjNsemIzVnNMWE5qSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXpaWEoyYVdObExXRmpZMjkxYm5RdWJtRnRaU0k2SW1KaWIzbHpiM1ZzSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXpaWEoyYVdObExXRmpZMjkxYm5RdWRXbGtJam9pWVRGaU9XRmpaamN0TlRCaE5pMDBZV1psTFRoaFltTXRNVFU0TVdFeU1tRmtZVGM1SWl3aWMzVmlJam9pYzNsemRHVnRPbk5sY25acFkyVmhZMk52ZFc1ME9tMTVjM0JoWTJVNlltSnZlWE52ZFd3aWZRLkx2cnlRVFg1MHhHTFVvT0lhYy1KT0l1NzNlcF93VGdJSWFlX29Fd2JFeWhOTEJyamFxSmNZV0JOMkJNWnY1N21nWWR3TWNGVUE5N1dNOFU4WGhJc2FfNGxkMTdTdzVsU3JMa1AyUV9TU2t4aWxSRF92RW1hR3dnMFBOTno1cUJMMEFYdG5WX0hDVGpDZkQ5RDhEd0Z1SXRtclhBUFJNeGNaWnhlS2FyZTR2NzFiMHozNm1BSnRibzFqOFVPTHZSNXI4UHVON2NEUXNzekdEdGIydkk3VkRUUldUOEVFSlVqZGxqd0xXd0FZZEhOWFFoY1MyQkZwb1FHdlEwSTMyLW1hRXdJY1VtM2ZIdC1HSVBnbzU1ZVN3NE5yVFlhMVA3MU9JZXozUGVXUWZMa3Zhd01oNWwxck9LN3ByUXd6SDhrMDRQZEJzWTBVZGtsb0dxT1ZJTmtYQQ==
kind: Secret
metadata:
annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
    {"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{"kubernetes.io/service-account.name":"bboysoul"},"name":"bboysoul-sc","namespace":"myspace"},"type":"kubernetes.io/service-account-token"}
    kubernetes.io/service-account.name: bboysoul
    kubernetes.io/service-account.uid: a1b9acf7-50a6-4afe-8abc-1581a22ada79    
creationTimestamp: "2024-09-23T07:21:16Z"
name: bboysoul-sc
namespace: myspace
resourceVersion: "2320"
uid: f675dc53-e7bf-4b30-9370-fdebe7c7396e
type: kubernetes.io/service-account-token

其中 certificate-authority-data就是下面

ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJWDN1ZTFZZUZBbEF3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TkRBNU1qTXdOalUwTkRKYUZ3MHpOREE1TWpFd05qVTVOREphTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUURIRDAzdVZDVndWb09ZM1JqVGNNNUtQS1ZNMzZaQmVoWlhRamluSFQ2ekdHRXcrUHBnRzl0SlFaZFAKekNqYzFnNmhzaFY1Q3c1SGwyaFR4S0d1NWtXQ01lT1ZIeXZLcWc1MlNKajc3VUIvcUhocnhnODRoVEZCUm9NbwpZYjBIZkw2THdnNEhUWHMrblUvWkFacnlhZS8yM0hMSGFVbmNyVTVNdXhIZFc1aTdzd1g2MkQrbnJKNXltTHlmCkFweGl6aDI4cWtmWXdBdTIzdnpYYUExYTdYZy96Nm5tSGZ1aVZFVUlRUnpZRkcyNzVFaUwvVzdNb1pLNThoa0oKNnNiL0kvVjgwQzB6SzRleHcvYTZvM2lyNExaOFBGaUNNWmhLV2ZkYWVLNmZ0SzZoS09qREhnZHVTK0UvdjhTcwowbUorVWR6cmZQSkZBQTlzNi92Z2M1U2JQSGgvQWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJTL0ZjRmtTUDVydEFBSTZ1ZE1nenpaaFEyTU96QVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ3RjZzNZeHE4Zwp5M2kwN1JXNlF2K1ZnNGJ1ZVVQY1pXN3BWVUk2ODE4ajQzWnUvblZLQ2tqeE5vbEZtdHUvYk9hVU5hb3V5bWNlCmRoQURzbkhjcHkxUDZDYnFmeTBpeExZNTQ0cmxCYUpTTDloWTJ6aFY1bjcrMTVkUFdkcUMzbGZob05JNEZZVlMKL3ovL2s2TWJtUWxONG1Ob2pHSTM2Q0Q4TTc2RzBDZTk4ZUZkcXpodFN2QVQ3ZTh2ejVJNUlia21IM2hYZEx5UwpSVmE5NUU0cmVydHFuc3JzME1pajZSUUtXM0w2YThVRkZTUld2c0UvemZrRUNIWWxJRzZkdm96ZDRGa1M1YjhjCnE2UWFyLzNoOGJxdUlyd2FoN3A0TmNqNlp6blVzZ1ViMUtYdHcxMzBGUTVUdlVNQ2Nmd2Q5NzZiTTlzYXpQZlAKTTJ6b3gxM1lKbFBnCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K

server就是apiserver的地址https://127.0.0.1:6443

token使用下面命令获取

kubectl get secret bboysoul-sc -n myspace -o jsonpath='{.data.token}' | base64 --decode

拼接成下面内容

apiVersion: v1
kind: Config
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJWDN1ZTFZZUZBbEF3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TkRBNU1qTXdOalUwTkRKYUZ3MHpOREE1TWpFd05qVTVOREphTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUURIRDAzdVZDVndWb09ZM1JqVGNNNUtQS1ZNMzZaQmVoWlhRamluSFQ2ekdHRXcrUHBnRzl0SlFaZFAKekNqYzFnNmhzaFY1Q3c1SGwyaFR4S0d1NWtXQ01lT1ZIeXZLcWc1MlNKajc3VUIvcUhocnhnODRoVEZCUm9NbwpZYjBIZkw2THdnNEhUWHMrblUvWkFacnlhZS8yM0hMSGFVbmNyVTVNdXhIZFc1aTdzd1g2MkQrbnJKNXltTHlmCkFweGl6aDI4cWtmWXdBdTIzdnpYYUExYTdYZy96Nm5tSGZ1aVZFVUlRUnpZRkcyNzVFaUwvVzdNb1pLNThoa0oKNnNiL0kvVjgwQzB6SzRleHcvYTZvM2lyNExaOFBGaUNNWmhLV2ZkYWVLNmZ0SzZoS09qREhnZHVTK0UvdjhTcwowbUorVWR6cmZQSkZBQTlzNi92Z2M1U2JQSGgvQWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJTL0ZjRmtTUDVydEFBSTZ1ZE1nenpaaFEyTU96QVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ3RjZzNZeHE4Zwp5M2kwN1JXNlF2K1ZnNGJ1ZVVQY1pXN3BWVUk2ODE4ajQzWnUvblZLQ2tqeE5vbEZtdHUvYk9hVU5hb3V5bWNlCmRoQURzbkhjcHkxUDZDYnFmeTBpeExZNTQ0cmxCYUpTTDloWTJ6aFY1bjcrMTVkUFdkcUMzbGZob05JNEZZVlMKL3ovL2s2TWJtUWxONG1Ob2pHSTM2Q0Q4TTc2RzBDZTk4ZUZkcXpodFN2QVQ3ZTh2ejVJNUlia21IM2hYZEx5UwpSVmE5NUU0cmVydHFuc3JzME1pajZSUUtXM0w2YThVRkZTUld2c0UvemZrRUNIWWxJRzZkdm96ZDRGa1M1YjhjCnE2UWFyLzNoOGJxdUlyd2FoN3A0TmNqNlp6blVzZ1ViMUtYdHcxMzBGUTVUdlVNQ2Nmd2Q5NzZiTTlzYXpQZlAKTTJ6b3gxM1lKbFBnCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    server: https://127.0.0.1:6443
name: kind
contexts:
- context:
    cluster: kind
    namespace: myspace
    user: bboysoul
name: kind
current-context: kind
users:
- name: bboysoul
user:
    token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImlYR2pUUmFIQzE4TWZxLV9yQlhFLTExQ3FXb1hBQzMyc3NpVWNieGZ3ZW8ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJteXNwYWNlIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImJib3lzb3VsLXNjIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImJib3lzb3VsIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiYTFiOWFjZjctNTBhNi00YWZlLThhYmMtMTU4MWEyMmFkYTc5Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Om15c3BhY2U6YmJveXNvdWwifQ.LvryQTX50xGLUoOIac-JOIu73ep_wTgIIae_oEwbEyhNLBrjaqJcYWBN2BMZv57mgYdwMcFUA97WM8U8XhIsa_4ld17Sw5lSrLkP2Q_SSkxilRD_vEmaGwg0PNNz5qBL0AXtnV_HCTjCfD9D8DwFuItmrXAPRMxcZZxeKare4v71b0z36mAJtbo1j8UOLvR5r8PuN7cDQsszGDtb2vI7VDTRWT8EEJUjdljwLWwAYdHNXQhcS2BFpoQGvQ0I32-maEwIcUm3fHt-GIPgo55eSw4NrTYa1P71OIez3PeWQfLkvawMh5l1rOK7prQwzH8k04PdBsY0UdkloGqOVINkXA

7. 验证配置

使用生成的 kubeconfig 连接到 Kubernetes 集群:

kubectl --kubeconfig=<path-to-your-kubeconfig> get pods -n myspace

注意事项

  • 请根据实际集群信息替换 <your-ca.crt>, <your-k8s-api-server><your-token>
  • 在角色 rules 中,根据实际需要调整权限。
  • 确保 kubeconfig 中的权限符合安全策略。

欢迎关注我的博客www.bboy.app

Have Fun

Tags:
本站总访问量 本站总访客数
2016 - 2024 Bboysoul