From 43de866aa5127eea68dbf87530647adbd10125c4 Mon Sep 17 00:00:00 2001
From: gjmzj <gaojianming.zj@139.com>
Date: Fri, 30 Nov 2018 15:18:17 +0800
Subject: [PATCH] =?UTF-8?q?=E6=9B=B4=E6=96=B0=E7=94=9F=E6=88=90kubeconfig?=
 =?UTF-8?q?=E8=84=9A=E6=9C=AC=E4=B8=8E=E6=96=87=E6=A1=A3?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 docs/op/readonly_kubectl.md              |  5 ++++
 roles/deploy/create-admin-kubeconfig.yml | 33 ++++++++++++++++++++++++
 roles/deploy/create-read-kubeconfig.yml  |  3 +++
 3 files changed, 41 insertions(+)
 create mode 100644 roles/deploy/create-admin-kubeconfig.yml

diff --git a/docs/op/readonly_kubectl.md b/docs/op/readonly_kubectl.md
index 4182f47..73d52ff 100644
--- a/docs/op/readonly_kubectl.md
+++ b/docs/op/readonly_kubectl.md
@@ -59,6 +59,11 @@ kubeconfig 为与apiserver交互使用的认证配置文件，如脚本步骤需
 
 创建完成后生成默认配置文件为 `~/.kube/config`
 
+## 恢复 admin 权限
+
+- 可以恢复之前备份的`~/.kubeadmin`文件：`mv ~/.kube ~/.kuberead && mv ~/.kubeadmin ~/.kube`
+- 或者直接执行 `ansible-playbook /etc/ansible/roles/deploy/create-admin-kubeconfig.yml`
+
 ## 参考
 
 - [Using RBAC Authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
diff --git a/roles/deploy/create-admin-kubeconfig.yml b/roles/deploy/create-admin-kubeconfig.yml
new file mode 100644
index 0000000..664b2b1
--- /dev/null
+++ b/roles/deploy/create-admin-kubeconfig.yml
@@ -0,0 +1,33 @@
+- hosts: deploy
+  tasks:
+  - name: 删除原有kubeconfig
+    file: path=/root/.kube state=absent
+
+  - name: 准备kubectl使用的admin 证书签名请求
+    template: src=admin-csr.json.j2 dest={{ ca_dir }}/admin-csr.json
+  
+  - name: 创建 admin证书与私钥
+    shell: "cd {{ ca_dir }} && {{ bin_dir }}/cfssl gencert \
+          -ca={{ ca_dir }}/ca.pem \
+          -ca-key={{ ca_dir }}/ca-key.pem \
+          -config={{ ca_dir }}/ca-config.json \
+          -profile=kubernetes admin-csr.json | {{ bin_dir }}/cfssljson -bare admin"
+  # 设置集群参数，指定CA证书和apiserver地址
+  - name: 设置集群参数
+    shell: "{{ bin_dir }}/kubectl config set-cluster kubernetes \
+          --certificate-authority={{ ca_dir }}/ca.pem \
+          --embed-certs=true \
+          --server={{ KUBE_APISERVER }}"
+  # 设置客户端认证参数，指定使用admin证书和私钥
+  - name: 设置客户端认证参数
+    shell: "{{ bin_dir }}/kubectl config set-credentials admin \
+          --client-certificate={{ ca_dir }}/admin.pem \
+          --embed-certs=true \
+          --client-key={{ ca_dir }}/admin-key.pem"
+  # 设置上下文参数，说明使用cluster集群和用户admin
+  - name: 设置上下文参数
+    shell: "{{ bin_dir }}/kubectl config set-context kubernetes \
+          --cluster=kubernetes --user=admin"
+  # 选择默认上下文
+  - name: 选择默认上下文
+    shell: "{{ bin_dir }}/kubectl config use-context kubernetes"  
diff --git a/roles/deploy/create-read-kubeconfig.yml b/roles/deploy/create-read-kubeconfig.yml
index 93d1d33..e39404e 100644
--- a/roles/deploy/create-read-kubeconfig.yml
+++ b/roles/deploy/create-read-kubeconfig.yml
@@ -9,6 +9,9 @@
   - name: 创建group:read rbac 绑定
     shell: "{{ bin_dir }}/kubectl apply -f /opt/kube/kube-system/read-group-rbac.yaml"
   
+  - name: 删除原有kubeconfig
+    file: path=/root/.kube state=absent
+
   # 创建readonly kubectl kubeconfig文件: /root/.kube/config
   - name: 准备kubectl使用的read 证书签名请求
     template: src=read-csr.json.j2 dest={{ ca_dir }}/read-csr.json