mirror of https://github.com/easzlab/kubeasz.git
45 lines
1.8 KiB
YAML
45 lines
1.8 KiB
YAML
- hosts: deploy
|
||
tasks:
|
||
- name: 在deploy 节点创建相关目录
|
||
file: path=/opt/kube/kube-system state=directory
|
||
|
||
- name: 下载 group:read rbac 文件
|
||
copy: src=read-group-rbac.yaml dest=/opt/kube/kube-system/read-group-rbac.yaml
|
||
|
||
- name: 创建group:read rbac 绑定
|
||
shell: "{{ bin_dir }}/kubectl apply -f /opt/kube/kube-system/read-group-rbac.yaml"
|
||
|
||
- name: 删除原有kubeconfig
|
||
file: path=/root/.kube state=absent
|
||
|
||
# 创建readonly kubectl kubeconfig文件: /root/.kube/config
|
||
- name: 准备kubectl使用的read 证书签名请求
|
||
template: src=read-csr.json.j2 dest={{ ca_dir }}/read-csr.json
|
||
|
||
- name: 创建 read证书与私钥
|
||
shell: "cd {{ ca_dir }} && {{ bin_dir }}/cfssl gencert \
|
||
-ca={{ ca_dir }}/ca.pem \
|
||
-ca-key={{ ca_dir }}/ca-key.pem \
|
||
-config={{ ca_dir }}/ca-config.json \
|
||
-profile=kubernetes read-csr.json | {{ bin_dir }}/cfssljson -bare read"
|
||
# 设置集群参数,指定CA证书和apiserver地址
|
||
- name: 设置集群参数
|
||
shell: "{{ bin_dir }}/kubectl config set-cluster kubernetes \
|
||
--certificate-authority={{ ca_dir }}/ca.pem \
|
||
--embed-certs=true \
|
||
--server={{ KUBE_APISERVER }}"
|
||
# 设置客户端认证参数,指定使用read证书和私钥
|
||
- name: 设置客户端认证参数
|
||
shell: "{{ bin_dir }}/kubectl config set-credentials read \
|
||
--client-certificate={{ ca_dir }}/read.pem \
|
||
--embed-certs=true \
|
||
--client-key={{ ca_dir }}/read-key.pem"
|
||
# 设置上下文参数,说明使用cluster集群和用户read
|
||
- name: 设置上下文参数
|
||
shell: "{{ bin_dir }}/kubectl config set-context kubernetes \
|
||
--cluster=kubernetes --user=read"
|
||
# 选择默认上下文
|
||
- name: 选择默认上下文
|
||
shell: "{{ bin_dir }}/kubectl config use-context kubernetes"
|
||
|