easzlab
/
kubeasz
mirror of https://github.com/easzlab/kubeasz.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
kubeasz/docs/op/kcfg-adm.md

121 lines
4.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

# 管理客户端kubeconfig
默认 k8s集群安装成功后生成客户端kubeconfig它拥有集群管理的所有权限不要将这个admin权限、50年期限的kubeconfig流露出去而我们经常需要将限定权限、限定期限的kubeconfig 分发给普通用户利用cfssl签发自定义用户证书和k8s灵活的rbac权限绑定机制ezctl 工具封装了这个功能。
## 使用帮助
```
ezctl help kcfg-adm
Usage: ezctl kcfg-adm <cluster> <args>
available <args>:
-A to add a client kubeconfig with a newly created user
-D to delete a client kubeconfig with the existed user
-L to list all of the users
-e to set expiry of the user certs in hours (ex. 24h, 8h, 240h)
-t to set a user-type (admin or view)
-u to set a user-name prefix
examples: ./ezctl kcfg-adm test-k8s -L
./ezctl kcfg-adm default -A -e 240h -t admin -u jack
./ezctl kcfg-adm default -D -u jim-202101162141
```
- 可以设置过期时间
- 可以设置权限管理员权限admin和只读权限view
## 使用举例
- 1.查看集群k8s-01当前自定义kubeconfig
```
ezctl kcfg-adm k8s-01 -L
2021-01-24 16:32:43 INFO list-kcfg k8s-01
2021-01-24 16:32:43 INFO list-kcfg in cluster:k8s-01
USER TYPE EXPIRY(+8h if in Asia/Shanghai)
---------------------------------------------------------------------------------
2021-01-24 16:32:43 INFO list-kcfg k8s-01 success
```
初始情况下列表为空
- 2.增加集群k8s-01一个自定义用户kubeconfig用户名user01期限24h只读权限
```
ezctl kcfg-adm k8s-01 -A -u user01 -e 24h -t view
2021-01-24 17:32:33 INFO add-kcfg k8s-01
2021-01-24 17:32:33 INFO add-kcfg in cluster:k8s-01 with user:user01-202101241732
PLAY [localhost] *****************************************************************************************************
...(此处省略输出)
TASK [deploy : debug] ************************************************************************************************
ok: [localhost] => {
"msg": "查看user01-202101241732自定义kubeconfig/etc/kubeasz/clusters/k8s-01/ssl/users/user01-202101241732.kubeconfig"
}
PLAY RECAP ***********************************************************************************************************
localhost : ok=12 changed=10 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
2021-01-24 17:32:41 INFO add-kcfg k8s-01 success
```
生成的kubeconfig位于 /etc/kubeasz/clusters/k8s-01/ssl/users/user01-202101241732.kubeconfig
- 3.再增加一个用户user02期限240hadmin权限
```
ezctl kcfg-adm k8s-01 -A -u user02 -e 240h -t admin
2021-01-24 18:38:47 INFO add-kcfg k8s-01
2021-01-24 18:38:47 INFO add-kcfg in cluster:k8s-01 with user:user02-202101241838
PLAY [localhost] *****************************************************************************************************
...(此处省略输出)
TASK [deploy : debug] ************************************************************************************************
ok: [localhost] => {
"msg": "查看user02-202101241838自定义kubeconfig/etc/kubeasz/clusters/k8s-01/ssl/users/user02-202101241838.kubeconfig"
}
PLAY RECAP ***********************************************************************************************************
localhost : ok=12 changed=9 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
2021-01-24 18:38:55 INFO add-kcfg k8s-01 success
```
- 4.再次查看集群k8s-01当前自定义kubeconfig
```
ezctl kcfg-adm k8s-01 -L
2021-01-24 18:40:30 INFO list-kcfg k8s-01
2021-01-24 18:40:30 INFO list-kcfg in cluster:k8s-01
USER TYPE EXPIRY(+8h if in Asia/Shanghai)
---------------------------------------------------------------------------------
user02-202101241838 cluster-admin 2021-02-03T10:34:00Z
user01-202101241732 view 2021-01-25T09:28:00Z
2021-01-24 18:40:31 INFO list-kcfg k8s-01 success
```
- 5.删除user01-202101241732 权限
``` bash
ezctl kcfg-adm k8s-01 -D -u user01-202101241732
2021-01-24 21:41:50 INFO del-kcfg k8s-01
2021-01-24 21:41:50 INFO del-kcfg in cluster:k8s-01 with user:user01-202101241732
clusterrolebinding.rbac.authorization.k8s.io "crb-user01-202101241732" deleted
2021-01-24 21:41:50 INFO del-kcfg k8s-01 success
ezctl kcfg-adm k8s-01 -L
2021-01-24 21:42:02 INFO list-kcfg k8s-01
2021-01-24 21:42:02 INFO list-kcfg in cluster:k8s-01
USER TYPE EXPIRY(+8h if in Asia/Shanghai)
---------------------------------------------------------------------------------
user02-202101241838 cluster-admin 2021-02-03T10:34:00Z
2021-01-24 21:42:02 INFO list-kcfg k8s-01 success
```
Reference in New Issue View Git Blame Copy Permalink