mirror of https://github.com/easzlab/kubeasz.git
分离生成read权限kubeconfig #727
parent
10ccdda640
commit
faf78af62a
|
@ -4,12 +4,29 @@
|
|||
|
||||
## 创建
|
||||
|
||||
- 备份下原先 admin 权限的 kubeconfig 文件:`mv ~/.kube ~/.kubeadmin`
|
||||
- 执行 `ansible-playbook /etc/ansible/01.prepare.yml -t create_kctl_cfg -e USER_NAME=read`,成功后查看~/.kube/config 即为只读权限
|
||||
- 执行如下命令成功后查看/root/.kube/read.config 即为只读权限
|
||||
|
||||
```
|
||||
ansible-playbook /etc/ansible/roles/deploy/deploy.yml -t create_ro_kctl_cfg -e CREATE_READONLY_KUBECONFIG=true
|
||||
```
|
||||
|
||||
- 验证只读权限
|
||||
|
||||
```
|
||||
$ kubectl --kubeconfig=/root/.kube/read.config get deploy -n kube-system
|
||||
NAME READY UP-TO-DATE AVAILABLE AGE
|
||||
coredns 2/2 2 2 13d
|
||||
dashboard-metrics-scraper 1/1 1 1 13d
|
||||
kubernetes-dashboard 1/1 1 1 13d
|
||||
metrics-server 1/1 1 1 13d
|
||||
traefik-ingress-controller 1/1 1 1 13d
|
||||
$ kubectl --kubeconfig=/root/.kube/read.config delete deploy kubernetes-dashboard -n kube-system
|
||||
Error from server (Forbidden): deployments.apps "kubernetes-dashboard" is forbidden: User "read" cannot delete resource "deployments" in API group "apps" in the namespace "kube-system"
|
||||
```
|
||||
|
||||
## 讲解
|
||||
|
||||
对照文件`/etc/ansible/roles/deploy/tasks/main.yml`,创建主要包括三个步骤:
|
||||
对照文件`/etc/ansible/roles/deploy/tasks/create-ro-kubeconfig.yml`,创建主要包括三个步骤:
|
||||
|
||||
- 创建 group:read rbac 权限
|
||||
- 创建 read 用户证书和私钥
|
||||
|
@ -57,12 +74,9 @@ kubeconfig 为与apiserver交互使用的认证配置文件,如脚本步骤需
|
|||
- 设置上下文参数,指定使用cluster集群和用户read
|
||||
- 设置指定默认上下文
|
||||
|
||||
创建完成后生成默认配置文件为 `~/.kube/config`
|
||||
创建完成后生成配置文件为`/root/.kube/read.config`,可以将该文件发给只读权限的普通用户
|
||||
|
||||
## 恢复 admin 权限
|
||||
|
||||
- 可以恢复之前备份的`~/.kubeadmin`文件:`mv ~/.kube ~/.kuberead && mv ~/.kubeadmin ~/.kube`
|
||||
- 或者直接执行 `ansible-playbook /etc/ansible/01.prepare.yml -t create_kctl_cfg`
|
||||
## 关联阅读[访问dashboard](../guide/dashboard.md)中的只读kubeconfig登陆相关内容
|
||||
|
||||
## 参考
|
||||
|
||||
|
|
|
@ -5,9 +5,6 @@ CERT_EXPIRY: "438000h"
|
|||
# apiserver 默认第一个master节点
|
||||
KUBE_APISERVER: "https://{{ groups['kube-master'][0] }}:6443"
|
||||
|
||||
# kubeconfig 配置参数,注意权限根据‘USER_NAME’设置:
|
||||
# 'admin' 表示创建集群管理员(所有)权限的 kubeconfig
|
||||
# 'read' 表示创建只读权限的 kubeconfig
|
||||
CLUSTER_NAME: "cluster1"
|
||||
USER_NAME: "admin"
|
||||
CONTEXT_NAME: "context-{{ CLUSTER_NAME }}-{{ USER_NAME }}"
|
||||
|
||||
CREATE_READONLY_KUBECONFIG: false
|
||||
|
|
|
@ -0,0 +1,40 @@
|
|||
- block:
|
||||
- name: 下载 group:read rbac 文件
|
||||
copy: src=read-group-rbac.yaml dest=/tmp/read-group-rbac.yaml
|
||||
|
||||
- name: 创建group:read rbac 绑定
|
||||
shell: "{{ base_dir }}/bin/kubectl apply -f /tmp/read-group-rbac.yaml"
|
||||
|
||||
- name: 准备kubectl使用的read证书签名请求
|
||||
template: src=read-csr.json.j2 dest={{ base_dir }}/.cluster/ssl/read-csr.json
|
||||
|
||||
- name: 创建read证书与私钥
|
||||
shell: "cd {{ base_dir }}/.cluster/ssl && {{ base_dir }}/bin/cfssl gencert \
|
||||
-ca=ca.pem \
|
||||
-ca-key=ca-key.pem \
|
||||
-config=ca-config.json \
|
||||
-profile=kubernetes read-csr.json | {{ base_dir }}/bin/cfssljson -bare read"
|
||||
|
||||
- name: 设置只读kubeconfig集群参数
|
||||
shell: "{{ base_dir }}/bin/kubectl config set-cluster {{ CLUSTER_NAME }} \
|
||||
--certificate-authority={{ base_dir }}/.cluster/ssl/ca.pem \
|
||||
--embed-certs=true \
|
||||
--server={{ KUBE_APISERVER }} \
|
||||
--kubeconfig=/root/.kube/read.config"
|
||||
|
||||
- name: 设置只读kubeconfig客户端认证参数
|
||||
shell: "{{ base_dir }}/bin/kubectl config set-credentials read \
|
||||
--client-certificate={{ base_dir }}/.cluster/ssl/read.pem \
|
||||
--embed-certs=true \
|
||||
--client-key={{ base_dir }}/.cluster/ssl/read-key.pem \
|
||||
--kubeconfig=/root/.kube/read.config"
|
||||
|
||||
- name: 设置只读kubeconfig上下文参数
|
||||
shell: "{{ base_dir }}/bin/kubectl config set-context {{ CLUSTER_NAME }} \
|
||||
--cluster={{ CLUSTER_NAME }} --user=read \
|
||||
--kubeconfig=/root/.kube/read.config"
|
||||
|
||||
- name: 选择只读kubeconfig默认上下文
|
||||
shell: "{{ base_dir }}/bin/kubectl config use-context {{ CLUSTER_NAME }} \
|
||||
--kubeconfig=/root/.kube/read.config"
|
||||
tags: create_ro_kctl_cfg
|
|
@ -25,29 +25,21 @@
|
|||
shell: "cd {{ base_dir }}/.cluster/ssl && \
|
||||
{{ base_dir }}/bin/cfssl gencert -initca ca-csr.json | {{ base_dir }}/bin/cfssljson -bare ca"
|
||||
|
||||
#----------- 创建kubectl kubeconfig文件: /root/.kube/config
|
||||
#----------- 创建admin kubectl kubeconfig文件: /root/.kube/config
|
||||
- block:
|
||||
- name: 删除原有kubeconfig
|
||||
file: path=/root/.kube/config state=absent
|
||||
ignore_errors: true
|
||||
|
||||
- name: 下载 group:read rbac 文件
|
||||
copy: src=read-group-rbac.yaml dest=/tmp/read-group-rbac.yaml
|
||||
when: USER_NAME == "read"
|
||||
- name: 准备kubectl使用的admin证书签名请求
|
||||
template: src=admin-csr.json.j2 dest={{ base_dir }}/.cluster/ssl/admin-csr.json
|
||||
|
||||
- name: 创建group:read rbac 绑定
|
||||
shell: "{{ base_dir }}/bin/kubectl apply -f /tmp/read-group-rbac.yaml"
|
||||
when: USER_NAME == "read"
|
||||
|
||||
- name: 准备kubectl使用的{{ USER_NAME }}证书签名请求
|
||||
template: src={{ USER_NAME }}-csr.json.j2 dest={{ base_dir }}/.cluster/ssl/{{ USER_NAME }}-csr.json
|
||||
|
||||
- name: 创建{{ USER_NAME }}证书与私钥
|
||||
- name: 创建admin证书与私钥
|
||||
shell: "cd {{ base_dir }}/.cluster/ssl && {{ base_dir }}/bin/cfssl gencert \
|
||||
-ca=ca.pem \
|
||||
-ca-key=ca-key.pem \
|
||||
-config=ca-config.json \
|
||||
-profile=kubernetes {{ USER_NAME }}-csr.json | {{ base_dir }}/bin/cfssljson -bare {{ USER_NAME }}"
|
||||
-profile=kubernetes admin-csr.json | {{ base_dir }}/bin/cfssljson -bare admin"
|
||||
|
||||
- name: 设置集群参数
|
||||
shell: "{{ base_dir }}/bin/kubectl config set-cluster {{ CLUSTER_NAME }} \
|
||||
|
@ -56,19 +48,23 @@
|
|||
--server={{ KUBE_APISERVER }}"
|
||||
|
||||
- name: 设置客户端认证参数
|
||||
shell: "{{ base_dir }}/bin/kubectl config set-credentials {{ USER_NAME }} \
|
||||
--client-certificate={{ base_dir }}/.cluster/ssl/{{ USER_NAME }}.pem \
|
||||
shell: "{{ base_dir }}/bin/kubectl config set-credentials admin \
|
||||
--client-certificate={{ base_dir }}/.cluster/ssl/admin.pem \
|
||||
--embed-certs=true \
|
||||
--client-key={{ base_dir }}/.cluster/ssl/{{ USER_NAME }}-key.pem"
|
||||
--client-key={{ base_dir }}/.cluster/ssl/admin-key.pem"
|
||||
|
||||
- name: 设置上下文参数
|
||||
shell: "{{ base_dir }}/bin/kubectl config set-context {{ CONTEXT_NAME }} \
|
||||
--cluster={{ CLUSTER_NAME }} --user={{ USER_NAME }}"
|
||||
shell: "{{ base_dir }}/bin/kubectl config set-context {{ CLUSTER_NAME }} \
|
||||
--cluster={{ CLUSTER_NAME }} --user=admin"
|
||||
|
||||
- name: 选择默认上下文
|
||||
shell: "{{ base_dir }}/bin/kubectl config use-context {{ CONTEXT_NAME }}"
|
||||
shell: "{{ base_dir }}/bin/kubectl config use-context {{ CLUSTER_NAME }}"
|
||||
tags: create_kctl_cfg
|
||||
|
||||
#-----------可选创建只读kubeconfig文件: /root/.kube/read.config
|
||||
- import_tasks: create-ro-kubeconfig.yml
|
||||
when: "CREATE_READONLY_KUBECONFIG"
|
||||
|
||||
#------------创建kube-proxy配置文件: kube-proxy.kubeconfig
|
||||
- name: 准备kube-proxy 证书签名请求
|
||||
template: src=kube-proxy-csr.json.j2 dest={{ base_dir }}/.cluster/ssl/kube-proxy-csr.json
|
||||
|
|
Loading…
Reference in New Issue