From faf78af62a477b905a1d5b09c3b60f8810d96652 Mon Sep 17 00:00:00 2001 From: gjmzj Date: Sun, 17 Nov 2019 01:51:29 +0000 Subject: [PATCH] =?UTF-8?q?=E5=88=86=E7=A6=BB=E7=94=9F=E6=88=90read?= =?UTF-8?q?=E6=9D=83=E9=99=90kubeconfig=20#727?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/op/readonly_kubectl.md | 30 +++++++++++----- roles/deploy/defaults/main.yml | 7 ++-- roles/deploy/tasks/create-ro-kubeconfig.yml | 40 +++++++++++++++++++++ roles/deploy/tasks/main.yml | 34 ++++++++---------- 4 files changed, 79 insertions(+), 32 deletions(-) create mode 100644 roles/deploy/tasks/create-ro-kubeconfig.yml diff --git a/docs/op/readonly_kubectl.md b/docs/op/readonly_kubectl.md index 0a06ace..f3c08b2 100644 --- a/docs/op/readonly_kubectl.md +++ b/docs/op/readonly_kubectl.md @@ -4,12 +4,29 @@ ## 创建 -- 备份下原先 admin 权限的 kubeconfig 文件:`mv ~/.kube ~/.kubeadmin` -- 执行 `ansible-playbook /etc/ansible/01.prepare.yml -t create_kctl_cfg -e USER_NAME=read`,成功后查看~/.kube/config 即为只读权限 +- 执行如下命令成功后查看/root/.kube/read.config 即为只读权限 + +``` +ansible-playbook /etc/ansible/roles/deploy/deploy.yml -t create_ro_kctl_cfg -e CREATE_READONLY_KUBECONFIG=true +``` + +- 验证只读权限 + +``` +$ kubectl --kubeconfig=/root/.kube/read.config get deploy -n kube-system +NAME READY UP-TO-DATE AVAILABLE AGE +coredns 2/2 2 2 13d +dashboard-metrics-scraper 1/1 1 1 13d +kubernetes-dashboard 1/1 1 1 13d +metrics-server 1/1 1 1 13d +traefik-ingress-controller 1/1 1 1 13d +$ kubectl --kubeconfig=/root/.kube/read.config delete deploy kubernetes-dashboard -n kube-system +Error from server (Forbidden): deployments.apps "kubernetes-dashboard" is forbidden: User "read" cannot delete resource "deployments" in API group "apps" in the namespace "kube-system" +``` ## 讲解 -对照文件`/etc/ansible/roles/deploy/tasks/main.yml`,创建主要包括三个步骤: +对照文件`/etc/ansible/roles/deploy/tasks/create-ro-kubeconfig.yml`,创建主要包括三个步骤: - 创建 group:read rbac 权限 - 创建 read 用户证书和私钥 @@ -57,12 +74,9 @@ kubeconfig 为与apiserver交互使用的认证配置文件,如脚本步骤需 - 设置上下文参数,指定使用cluster集群和用户read - 设置指定默认上下文 -创建完成后生成默认配置文件为 `~/.kube/config` +创建完成后生成配置文件为`/root/.kube/read.config`,可以将该文件发给只读权限的普通用户 -## 恢复 admin 权限 - -- 可以恢复之前备份的`~/.kubeadmin`文件:`mv ~/.kube ~/.kuberead && mv ~/.kubeadmin ~/.kube` -- 或者直接执行 `ansible-playbook /etc/ansible/01.prepare.yml -t create_kctl_cfg` +## 关联阅读[访问dashboard](../guide/dashboard.md)中的只读kubeconfig登陆相关内容 ## 参考 diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index d402c64..1fbeb06 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -5,9 +5,6 @@ CERT_EXPIRY: "438000h" # apiserver 默认第一个master节点 KUBE_APISERVER: "https://{{ groups['kube-master'][0] }}:6443" -# kubeconfig 配置参数,注意权限根据‘USER_NAME’设置: -# 'admin' 表示创建集群管理员(所有)权限的 kubeconfig -# 'read' 表示创建只读权限的 kubeconfig CLUSTER_NAME: "cluster1" -USER_NAME: "admin" -CONTEXT_NAME: "context-{{ CLUSTER_NAME }}-{{ USER_NAME }}" + +CREATE_READONLY_KUBECONFIG: false diff --git a/roles/deploy/tasks/create-ro-kubeconfig.yml b/roles/deploy/tasks/create-ro-kubeconfig.yml new file mode 100644 index 0000000..01207c1 --- /dev/null +++ b/roles/deploy/tasks/create-ro-kubeconfig.yml @@ -0,0 +1,40 @@ +- block: + - name: 下载 group:read rbac 文件 + copy: src=read-group-rbac.yaml dest=/tmp/read-group-rbac.yaml + + - name: 创建group:read rbac 绑定 + shell: "{{ base_dir }}/bin/kubectl apply -f /tmp/read-group-rbac.yaml" + + - name: 准备kubectl使用的read证书签名请求 + template: src=read-csr.json.j2 dest={{ base_dir }}/.cluster/ssl/read-csr.json + + - name: 创建read证书与私钥 + shell: "cd {{ base_dir }}/.cluster/ssl && {{ base_dir }}/bin/cfssl gencert \ + -ca=ca.pem \ + -ca-key=ca-key.pem \ + -config=ca-config.json \ + -profile=kubernetes read-csr.json | {{ base_dir }}/bin/cfssljson -bare read" + + - name: 设置只读kubeconfig集群参数 + shell: "{{ base_dir }}/bin/kubectl config set-cluster {{ CLUSTER_NAME }} \ + --certificate-authority={{ base_dir }}/.cluster/ssl/ca.pem \ + --embed-certs=true \ + --server={{ KUBE_APISERVER }} \ + --kubeconfig=/root/.kube/read.config" + + - name: 设置只读kubeconfig客户端认证参数 + shell: "{{ base_dir }}/bin/kubectl config set-credentials read \ + --client-certificate={{ base_dir }}/.cluster/ssl/read.pem \ + --embed-certs=true \ + --client-key={{ base_dir }}/.cluster/ssl/read-key.pem \ + --kubeconfig=/root/.kube/read.config" + + - name: 设置只读kubeconfig上下文参数 + shell: "{{ base_dir }}/bin/kubectl config set-context {{ CLUSTER_NAME }} \ + --cluster={{ CLUSTER_NAME }} --user=read \ + --kubeconfig=/root/.kube/read.config" + + - name: 选择只读kubeconfig默认上下文 + shell: "{{ base_dir }}/bin/kubectl config use-context {{ CLUSTER_NAME }} \ + --kubeconfig=/root/.kube/read.config" + tags: create_ro_kctl_cfg diff --git a/roles/deploy/tasks/main.yml b/roles/deploy/tasks/main.yml index f92dfeb..1ac2fa6 100644 --- a/roles/deploy/tasks/main.yml +++ b/roles/deploy/tasks/main.yml @@ -25,29 +25,21 @@ shell: "cd {{ base_dir }}/.cluster/ssl && \ {{ base_dir }}/bin/cfssl gencert -initca ca-csr.json | {{ base_dir }}/bin/cfssljson -bare ca" -#----------- 创建kubectl kubeconfig文件: /root/.kube/config +#----------- 创建admin kubectl kubeconfig文件: /root/.kube/config - block: - name: 删除原有kubeconfig file: path=/root/.kube/config state=absent ignore_errors: true - - name: 下载 group:read rbac 文件 - copy: src=read-group-rbac.yaml dest=/tmp/read-group-rbac.yaml - when: USER_NAME == "read" + - name: 准备kubectl使用的admin证书签名请求 + template: src=admin-csr.json.j2 dest={{ base_dir }}/.cluster/ssl/admin-csr.json - - name: 创建group:read rbac 绑定 - shell: "{{ base_dir }}/bin/kubectl apply -f /tmp/read-group-rbac.yaml" - when: USER_NAME == "read" - - - name: 准备kubectl使用的{{ USER_NAME }}证书签名请求 - template: src={{ USER_NAME }}-csr.json.j2 dest={{ base_dir }}/.cluster/ssl/{{ USER_NAME }}-csr.json - - - name: 创建{{ USER_NAME }}证书与私钥 + - name: 创建admin证书与私钥 shell: "cd {{ base_dir }}/.cluster/ssl && {{ base_dir }}/bin/cfssl gencert \ -ca=ca.pem \ -ca-key=ca-key.pem \ -config=ca-config.json \ - -profile=kubernetes {{ USER_NAME }}-csr.json | {{ base_dir }}/bin/cfssljson -bare {{ USER_NAME }}" + -profile=kubernetes admin-csr.json | {{ base_dir }}/bin/cfssljson -bare admin" - name: 设置集群参数 shell: "{{ base_dir }}/bin/kubectl config set-cluster {{ CLUSTER_NAME }} \ @@ -56,19 +48,23 @@ --server={{ KUBE_APISERVER }}" - name: 设置客户端认证参数 - shell: "{{ base_dir }}/bin/kubectl config set-credentials {{ USER_NAME }} \ - --client-certificate={{ base_dir }}/.cluster/ssl/{{ USER_NAME }}.pem \ + shell: "{{ base_dir }}/bin/kubectl config set-credentials admin \ + --client-certificate={{ base_dir }}/.cluster/ssl/admin.pem \ --embed-certs=true \ - --client-key={{ base_dir }}/.cluster/ssl/{{ USER_NAME }}-key.pem" + --client-key={{ base_dir }}/.cluster/ssl/admin-key.pem" - name: 设置上下文参数 - shell: "{{ base_dir }}/bin/kubectl config set-context {{ CONTEXT_NAME }} \ - --cluster={{ CLUSTER_NAME }} --user={{ USER_NAME }}" + shell: "{{ base_dir }}/bin/kubectl config set-context {{ CLUSTER_NAME }} \ + --cluster={{ CLUSTER_NAME }} --user=admin" - name: 选择默认上下文 - shell: "{{ base_dir }}/bin/kubectl config use-context {{ CONTEXT_NAME }}" + shell: "{{ base_dir }}/bin/kubectl config use-context {{ CLUSTER_NAME }}" tags: create_kctl_cfg +#-----------可选创建只读kubeconfig文件: /root/.kube/read.config +- import_tasks: create-ro-kubeconfig.yml + when: "CREATE_READONLY_KUBECONFIG" + #------------创建kube-proxy配置文件: kube-proxy.kubeconfig - name: 准备kube-proxy 证书签名请求 template: src=kube-proxy-csr.json.j2 dest={{ base_dir }}/.cluster/ssl/kube-proxy-csr.json