创建serviceaccount服务
kubectl -n default create serviceaccount rdc-test
以yaml方式创建serviceaccount服务并设置Role及 Role Binding
apiVersion: v1
kind: Secret
metadata:
name: rdc-test-certs
namespace: default
type: Opaque
---
# ------------------- Dashboard Service Account ------------------- #
apiVersion: v1
kind: ServiceAccount
metadata:
name: rdc-test
namespace: default
---
# ------------------- Dashboard Role & Role Binding ------------------- #
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rdc-test1
namespace: default
rules:
- apiGroups:
- "*"
resources:
- "*"
verbs:
- "list"
- "get"
- "watch"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: rdc-test
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: rdc-test1
subjects:
- kind: ServiceAccount
name: rdc-test
namespace: default
这里会涉及到权限相关的内容,上面的角色权限是只读的权限,如果需要pod相关的管理权限,可以把rules修改下,
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rdc-test1
namespace: default
rules:
- apiGroups:
- "*"
resources:
- "*"
verbs:
- "list"
- "get"
- "watch"
- apiGroups:
- ""
resources:
- "pods""
- "pods/attach"
- "pods/exec"
- "pods/portforward"
- "pods/proxy"
verbs:
- "create"
- "delete"
- "deletecollection"
- "patch"
执行以下脚本,需要获取相关的环境变量以生成kubeconfig文件
export USER_TOKEN_NAME=$(kubectl -n default get serviceaccount rdc-test -o=jsonpath='{.secrets[0].name}')
export USER_TOKEN_VALUE=$(kubectl -n default get secret/${USER_TOKEN_NAME} -o=go-template='{{.data.token}}' | base64 --decode)
export CURRENT_CONTEXT=$(kubectl config current-context)
export CURRENT_CLUSTER=$(kubectl config view --raw -o=go-template='{{range .contexts}}{{if eq .name "'''${CURRENT_CONTEXT}'''"}}{{ index .context "cluster" }}{{end}}{{end}}')
export CLUSTER_CA=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}"{{with index .cluster "certificate-authority-data" }}{{.}}{{end}}"{{ end }}{{ end }}')
export CLUSTER_SERVER=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}{{ .cluster.server }}{{end}}{{ end }}')
执行以下脚本,以生成kubeconfig文件
cat << EOF > rdc-config
apiVersion: v1
kind: Config
current-context: ${CURRENT_CONTEXT}
contexts:
- name: ${CURRENT_CONTEXT}
context:
cluster: ${CURRENT_CONTEXT}
user: kommander-cluster-admin
namespace: kube-system
clusters:
- name: ${CURRENT_CONTEXT}
cluster:
certificate-authority-data: ${CLUSTER_CA}
server: ${CLUSTER_SERVER}
users:
- name: kommander-cluster-admin
user:
token: ${USER_TOKEN_VALUE}
EOF
生成token以支持访问dashboard或者api
kubectl describe secret rdc-token | grep -E '^token'
网友评论