配置kubeconfig文件实现集群权限精细化管理问题场景目标注意事项配置方法 create sa Create

问题场景

默认的给用户的kubeconfig文件为cluster-admin角色的用户，相当于root权限，对于一些用户来说权限太大，不方便精细化管理。

目标

对集群资源进行精细化管理，让特定用户只能拥有部分权限（如：增、查、改）。

注意事项

确保您的机器上有kubectl工具，若没有请到kubernetes版本发布页面下载与集群版本对应的或者最新的kubectl。

配置方法

下述示例配置只能查看和添加test空间下面的Pod和Deployment，不能删除。

create sa

配置sa，名称为my-sa，命名空间为test。

kubectl create sa my-sa -n test

Create role

配置role规则表，赋予不同资源相应的操作权限。

rbac.authorization.kubernetes.io/autoupdate: "true"

在每次启动时，API 服务器都会更新默认 ClusterRole 以添加缺失的各种权限，并更新默认的 ClusterRoleBinding 以增加缺失的各类主体。这种自动协商机制允许集群去修复一些不小心发生的修改，并且有助于保证角色和角色绑定在新的发行版本中有权限或主体变更时仍然保持最新。

cat << EOF | kubectl apply -f -
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: myrole
  namespace: test
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps
  resources:
  - pods
  - deployments
  verbs:
  - get
  - list
  - watch
  - create
EOF

rolebinding

cat << EOF | kubectl apply -f -
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: myrolebinding
  namespace: test
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: myrole
subjects:
- kind: ServiceAccount
  name: my-sa
  namespace: test
EOF

token

如果遇到用户不自动创建token

cat << EOF | kubectl apply -f -
---
apiVersion: v1
kind: Secret
metadata:
  name: test
  namespace: test
  annotations: 
    kubernetes.io/service-account.name: build-robot
type: kubernetes.io/service-account-token
EOF

快速创建脚本

#!/usr/bin/bash

set -e
set -u
set -o pipefail
set -x

# Please set these variables first, then run the script on the master node.
APISERVER_ADDRESS="https://127.0.0.1:6443"
USER=test # user name
NAMESPACE=sit
KUBECONFIG_NAME=kubeconfig_${USER}.yaml

echo "Generate kubeconfig for user $USER  in namespace $NAMESPACE"

# Create service account
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: $NAMESPACE
  name: $USER
EOF

# Get secret token
tokenName=$(kubectl describe sa $USER -n $NAMESPACE | grep Tokens | awk '{print $2}')
token=$(kubectl describe secret $tokenName -n $NAMESPACE | grep "token:" | awk '{print $2}')

# Get cluster info
clusterCA=$(kubectl config view --flatten --minify | grep "certificate-authority-data:" | awk '{print $2}')
clusterName=$(kubectl config view --flatten --minify | grep "name:" | head -n 1 | awk '{print $2}')

# Create role and role bindings
cat <<EOF | kubectl apply -f -
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  name: ${USER}-role
  namespace: $NAMESPACE
rules:
- apiGroups: 
  - apps
  - ""
  resources:
  - deployments
  - pods
  verbs: 
  - update
  - get
  - list
  - watch
  - create
  - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ${USER}-rolebinding
  namespace: $NAMESPACE
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ${USER}-role
subjects:
- namespace: $NAMESPACE
  kind: ServiceAccount
  name: ${USER}
EOF

# Generate kubeconfig
cat <<EOF > $KUBECONFIG_NAME
apiVersion: v1
kind: Config
users:
- name: $USER
  user:
    token: $token
clusters:
- cluster:
    certificate-authority-data: $clusterCA
    server: $APISERVER_ADDRESS
  name: $clusterName
contexts:
- context:
    cluster: $clusterName
    user: $USER
  name: ${USER}-context
current-context: ${USER}-context
EOF

echo "Congratulations! The kubeconfig file is generated at $KUBECONFIG_NAME"