- hosts: deploy tasks: - name: 在deploy 节点创建相关目录 file: path=/opt/kube/kube-system state=directory - name: 下载 group:read rbac 文件 copy: src=read-group-rbac.yaml dest=/opt/kube/kube-system/read-group-rbac.yaml - name: 创建group:read rbac 绑定 shell: "{{ bin_dir }}/kubectl apply -f /opt/kube/kube-system/read-group-rbac.yaml" - name: 删除原有kubeconfig file: path=/root/.kube state=absent # 创建readonly kubectl kubeconfig文件: /root/.kube/config - name: 准备kubectl使用的read 证书签名请求 template: src=read-csr.json.j2 dest={{ ca_dir }}/read-csr.json - name: 创建 read证书与私钥 shell: "cd {{ ca_dir }} && {{ bin_dir }}/cfssl gencert \ -ca={{ ca_dir }}/ca.pem \ -ca-key={{ ca_dir }}/ca-key.pem \ -config={{ ca_dir }}/ca-config.json \ -profile=kubernetes read-csr.json | {{ bin_dir }}/cfssljson -bare read" # 设置集群参数,指定CA证书和apiserver地址 - name: 设置集群参数 shell: "{{ bin_dir }}/kubectl config set-cluster kubernetes \ --certificate-authority={{ ca_dir }}/ca.pem \ --embed-certs=true \ --server={{ KUBE_APISERVER }}" # 设置客户端认证参数,指定使用read证书和私钥 - name: 设置客户端认证参数 shell: "{{ bin_dir }}/kubectl config set-credentials read \ --client-certificate={{ ca_dir }}/read.pem \ --embed-certs=true \ --client-key={{ ca_dir }}/read-key.pem" # 设置上下文参数,说明使用cluster集群和用户read - name: 设置上下文参数 shell: "{{ bin_dir }}/kubectl config set-context kubernetes \ --cluster=kubernetes --user=read" # 选择默认上下文 - name: 选择默认上下文 shell: "{{ bin_dir }}/kubectl config use-context kubernetes"