From 7916344997eceda59437276783f8afd02033fe2e Mon Sep 17 00:00:00 2001 From: gjmzj Date: Sun, 29 Mar 2020 10:52:46 +0800 Subject: [PATCH] modify kubectl-kubeconfig creating for bogeit --- docs/op/readonly_kubectl.md | 29 ++++---------- roles/deploy/defaults/main.yml | 7 +++- .../tasks/create-kubectl-kubeconfig.yml | 28 ++++++++----- .../tasks/create-kubectl-ro-kubeconfig.yml | 40 ------------------- roles/deploy/tasks/main.yml | 6 +-- 5 files changed, 31 insertions(+), 79 deletions(-) delete mode 100644 roles/deploy/tasks/create-kubectl-ro-kubeconfig.yml diff --git a/docs/op/readonly_kubectl.md b/docs/op/readonly_kubectl.md index 38690d1..aa243f9 100644 --- a/docs/op/readonly_kubectl.md +++ b/docs/op/readonly_kubectl.md @@ -4,29 +4,12 @@ ## 创建 -- 执行如下命令成功后查看/root/.kube/read.config 即为只读权限 - -``` -ansible-playbook /etc/ansible/roles/deploy/deploy.yml -t create_ro_kctl_cfg -e CREATE_READONLY_KUBECONFIG=true -``` - -- 验证只读权限 - -``` -$ kubectl --kubeconfig=/root/.kube/read.config get deploy -n kube-system -NAME READY UP-TO-DATE AVAILABLE AGE -coredns 2/2 2 2 13d -dashboard-metrics-scraper 1/1 1 1 13d -kubernetes-dashboard 1/1 1 1 13d -metrics-server 1/1 1 1 13d -traefik-ingress-controller 1/1 1 1 13d -$ kubectl --kubeconfig=/root/.kube/read.config delete deploy kubernetes-dashboard -n kube-system -Error from server (Forbidden): deployments.apps "kubernetes-dashboard" is forbidden: User "read" cannot delete resource "deployments" in API group "apps" in the namespace "kube-system" -``` +- 备份下原先 admin 权限的 kubeconfig 文件:`mv ~/.kube ~/.kubeadmin` +- 执行 `ansible-playbook /etc/ansible/01.prepare.yml -t create_kctl_cfg -e USER_NAME=read`,成功后查看~/.kube/config 即为只读权限 ## 讲解 -对照文件`/etc/ansible/roles/deploy/tasks/create-kubectl-ro-kubeconfig.yml`,创建主要包括三个步骤: +创建主要包括三个步骤: - 创建 group:read rbac 权限 - 创建 read 用户证书和私钥 @@ -74,9 +57,11 @@ kubeconfig 为与apiserver交互使用的认证配置文件,如脚本步骤需 - 设置上下文参数,指定使用cluster集群和用户read - 设置指定默认上下文 -创建完成后生成配置文件为`/root/.kube/read.config`,可以将该文件发给只读权限的普通用户 +创建完成后生成默认配置文件为 `~/.kube/config` -## 关联阅读[访问dashboard](../guide/dashboard.md)中的只读kubeconfig登陆相关内容 +## 恢复 admin 权限 + +- 可以恢复之前备份的`~/.kubeadmin`文件:`mv ~/.kube ~/.kuberead && mv ~/.kubeadmin ~/.kube` ## 参考 diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index 1fbeb06..d402c64 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -5,6 +5,9 @@ CERT_EXPIRY: "438000h" # apiserver 默认第一个master节点 KUBE_APISERVER: "https://{{ groups['kube-master'][0] }}:6443" +# kubeconfig 配置参数,注意权限根据‘USER_NAME’设置: +# 'admin' 表示创建集群管理员(所有)权限的 kubeconfig +# 'read' 表示创建只读权限的 kubeconfig CLUSTER_NAME: "cluster1" - -CREATE_READONLY_KUBECONFIG: false +USER_NAME: "admin" +CONTEXT_NAME: "context-{{ CLUSTER_NAME }}-{{ USER_NAME }}" diff --git a/roles/deploy/tasks/create-kubectl-kubeconfig.yml b/roles/deploy/tasks/create-kubectl-kubeconfig.yml index 7192d7e..71b6b4d 100644 --- a/roles/deploy/tasks/create-kubectl-kubeconfig.yml +++ b/roles/deploy/tasks/create-kubectl-kubeconfig.yml @@ -2,15 +2,23 @@ file: path=/root/.kube/config state=absent ignore_errors: true -- name: 准备kubectl使用的admin证书签名请求 - template: src=admin-csr.json.j2 dest={{ base_dir }}/.cluster/ssl/admin-csr.json +- name: 下载 group:read rbac 文件 + copy: src=read-group-rbac.yaml dest=/tmp/read-group-rbac.yaml + when: USER_NAME == "read" -- name: 创建admin证书与私钥 +- name: 创建group:read rbac 绑定 + shell: "{{ base_dir }}/bin/kubectl apply -f /tmp/read-group-rbac.yaml" + when: USER_NAME == "read" + +- name: 准备kubectl使用的{{ USER_NAME }}证书签名请求 + template: src={{ USER_NAME }}-csr.json.j2 dest={{ base_dir }}/.cluster/ssl/{{ USER_NAME }}-csr.json + +- name: 创建{{ USER_NAME }}证书与私钥 shell: "cd {{ base_dir }}/.cluster/ssl && {{ base_dir }}/bin/cfssl gencert \ -ca=ca.pem \ -ca-key=ca-key.pem \ -config=ca-config.json \ - -profile=kubernetes admin-csr.json | {{ base_dir }}/bin/cfssljson -bare admin" + -profile=kubernetes {{ USER_NAME }}-csr.json | {{ base_dir }}/bin/cfssljson -bare {{ USER_NAME }}" - name: 设置集群参数 shell: "{{ base_dir }}/bin/kubectl config set-cluster {{ CLUSTER_NAME }} \ @@ -19,14 +27,14 @@ --server={{ KUBE_APISERVER }}" - name: 设置客户端认证参数 - shell: "{{ base_dir }}/bin/kubectl config set-credentials admin \ - --client-certificate={{ base_dir }}/.cluster/ssl/admin.pem \ + shell: "{{ base_dir }}/bin/kubectl config set-credentials {{ USER_NAME }} \ + --client-certificate={{ base_dir }}/.cluster/ssl/{{ USER_NAME }}.pem \ --embed-certs=true \ - --client-key={{ base_dir }}/.cluster/ssl/admin-key.pem" + --client-key={{ base_dir }}/.cluster/ssl/{{ USER_NAME }}-key.pem" - name: 设置上下文参数 - shell: "{{ base_dir }}/bin/kubectl config set-context {{ CLUSTER_NAME }} \ - --cluster={{ CLUSTER_NAME }} --user=admin" + shell: "{{ base_dir }}/bin/kubectl config set-context {{ CONTEXT_NAME }} \ + --cluster={{ CLUSTER_NAME }} --user={{ USER_NAME }}" - name: 选择默认上下文 - shell: "{{ base_dir }}/bin/kubectl config use-context {{ CLUSTER_NAME }}" + shell: "{{ base_dir }}/bin/kubectl config use-context {{ CONTEXT_NAME }}" diff --git a/roles/deploy/tasks/create-kubectl-ro-kubeconfig.yml b/roles/deploy/tasks/create-kubectl-ro-kubeconfig.yml deleted file mode 100644 index 01207c1..0000000 --- a/roles/deploy/tasks/create-kubectl-ro-kubeconfig.yml +++ /dev/null @@ -1,40 +0,0 @@ -- block: - - name: 下载 group:read rbac 文件 - copy: src=read-group-rbac.yaml dest=/tmp/read-group-rbac.yaml - - - name: 创建group:read rbac 绑定 - shell: "{{ base_dir }}/bin/kubectl apply -f /tmp/read-group-rbac.yaml" - - - name: 准备kubectl使用的read证书签名请求 - template: src=read-csr.json.j2 dest={{ base_dir }}/.cluster/ssl/read-csr.json - - - name: 创建read证书与私钥 - shell: "cd {{ base_dir }}/.cluster/ssl && {{ base_dir }}/bin/cfssl gencert \ - -ca=ca.pem \ - -ca-key=ca-key.pem \ - -config=ca-config.json \ - -profile=kubernetes read-csr.json | {{ base_dir }}/bin/cfssljson -bare read" - - - name: 设置只读kubeconfig集群参数 - shell: "{{ base_dir }}/bin/kubectl config set-cluster {{ CLUSTER_NAME }} \ - --certificate-authority={{ base_dir }}/.cluster/ssl/ca.pem \ - --embed-certs=true \ - --server={{ KUBE_APISERVER }} \ - --kubeconfig=/root/.kube/read.config" - - - name: 设置只读kubeconfig客户端认证参数 - shell: "{{ base_dir }}/bin/kubectl config set-credentials read \ - --client-certificate={{ base_dir }}/.cluster/ssl/read.pem \ - --embed-certs=true \ - --client-key={{ base_dir }}/.cluster/ssl/read-key.pem \ - --kubeconfig=/root/.kube/read.config" - - - name: 设置只读kubeconfig上下文参数 - shell: "{{ base_dir }}/bin/kubectl config set-context {{ CLUSTER_NAME }} \ - --cluster={{ CLUSTER_NAME }} --user=read \ - --kubeconfig=/root/.kube/read.config" - - - name: 选择只读kubeconfig默认上下文 - shell: "{{ base_dir }}/bin/kubectl config use-context {{ CLUSTER_NAME }} \ - --kubeconfig=/root/.kube/read.config" - tags: create_ro_kctl_cfg diff --git a/roles/deploy/tasks/main.yml b/roles/deploy/tasks/main.yml index 8c75c56..f792a3d 100644 --- a/roles/deploy/tasks/main.yml +++ b/roles/deploy/tasks/main.yml @@ -25,14 +25,10 @@ shell: "cd {{ base_dir }}/.cluster/ssl && \ {{ base_dir }}/bin/cfssl gencert -initca ca-csr.json | {{ base_dir }}/bin/cfssljson -bare ca" -#----------- 创建admin kubectl kubeconfig文件: /root/.kube/config +#----------- 创建配置文件: /root/.kube/config - import_tasks: create-kubectl-kubeconfig.yml tags: create_kctl_cfg -#-----------可选创建只读kubeconfig文件: /root/.kube/read.config -- import_tasks: create-kubectl-ro-kubeconfig.yml - when: "CREATE_READONLY_KUBECONFIG" - #------------创建配置文件: kube-proxy.kubeconfig - import_tasks: create-kube-proxy-kubeconfig.yml