kubernetes 如何为serviceaccount创建kubectl配置文件

bwitn5fc  于 2023-01-29  发布在  Kubernetes
关注(0)|答案(5)|浏览(137)

我在Azure上有一个kubernetes群集,我创建了2个命名空间和2个服务帐户,因为我有两个团队在该群集上部署。我想为每个团队提供自己的kubeconfig文件,用于我创建的服务帐户。
我刚接触Kubernetes不久,在Kubernetes网站上还没有找到明确的说明。如何为服务帐户创建一个kube配置文件?希望有人能帮我:),我宁愿不给团队默认的kube配置文件。
谨致问候,
布拉姆

p8ekf7hl

p8ekf7hl1#

# your server name goes here
server=https://localhost:8443
# the name of the secret containing the service account token goes here
name=default-token-sg96k

ca=$(kubectl get secret/$name -o jsonpath='{.data.ca\.crt}')
token=$(kubectl get secret/$name -o jsonpath='{.data.token}' | base64 --decode)
namespace=$(kubectl get secret/$name -o jsonpath='{.data.namespace}' | base64 --decode)

echo "
apiVersion: v1
kind: Config
clusters:
- name: default-cluster
  cluster:
    certificate-authority-data: ${ca}
    server: ${server}
contexts:
- name: default-context
  context:
    cluster: default-cluster
    namespace: default
    user: default-user
current-context: default-context
users:
- name: default-user
  user:
    token: ${token}
" > sa.kubeconfig
xzlaal3s

xzlaal3s2#

我清理了一下Jordan Liggitt's script
不幸的是,我还没有被允许发表评论,所以这是一个额外的答案:
请注意,从Kubernetes 1.24开始,您需要自己使用令牌创建Secret并引用它

# The script returns a kubeconfig for the ServiceAccount given
# you need to have kubectl on PATH with the context set to the cluster you want to create the config for

# Cosmetics for the created config
clusterName='some-cluster'
# your server address goes here get it via `kubectl cluster-info`
server='https://157.90.17.72:6443'
# the Namespace and ServiceAccount name that is used for the config
namespace='kube-system'
serviceAccount='developer'

# The following automation does not work from Kubernetes 1.24 and up.
# You might need to
# define a Secret, reference the ServiceAccount there and set the secretName by hand!
# See https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#manually-create-a-long-lived-api-token-for-a-serviceaccount for details
secretName=$(kubectl --namespace="$namespace" get serviceAccount "$serviceAccount" -o=jsonpath='{.secrets[0].name}')

######################
# actual script starts
set -o errexit

ca=$(kubectl --namespace="$namespace" get secret/"$secretName" -o=jsonpath='{.data.ca\.crt}')
token=$(kubectl --namespace="$namespace" get secret/"$secretName" -o=jsonpath='{.data.token}' | base64 --decode)

echo "
---
apiVersion: v1
kind: Config
clusters:
  - name: ${clusterName}
    cluster:
      certificate-authority-data: ${ca}
      server: ${server}
contexts:
  - name: ${serviceAccount}@${clusterName}
    context:
      cluster: ${clusterName}
      namespace: ${namespace}
      user: ${serviceAccount}
users:
  - name: ${serviceAccount}
    user:
      token: ${token}
current-context: ${serviceAccount}@${clusterName}
"
rqenqsqc

rqenqsqc3#

查看https://github.com/superbrothers/kubectl-view-serviceaccount-kubeconfig-plugin
此插件有助于通过以下方式获取服务帐户配置

kubectl view-serviceaccount-kubeconfig <service_account> -n <namespace>
cygmwpex

cygmwpex4#

Kubectl可以初始化为使用群集帐户。为此,请获取群集url、群集证书和帐户令牌。

KUBE_API_EP='URL+PORT'
KUBE_API_TOKEN='TOKEN'
KUBE_CERT='REDACTED'

echo $KUBE_CERT >deploy.crt
kubectl config set-cluster k8s --server=https://$KUBE_API_EP \ 
    --certificate-authority=deploy.crt  \
    --embed-certs=true
kubectl config set-credentials gitlab-deployer --token=$KUBE_API_TOKEN
kubectl config set-context k8s --cluster k8s --user gitlab-deployer
kubectl config use-context k8s

群集文件存储在以下位置:~/.kube/config。现在可以使用以下命令访问群集:

kubectl --context=k8s get pods -n test-namespace

如果您使用自签名证书,请添加此标志--insecure-skip-tls-verify

goqiplq2

goqiplq25#

当我在寻找一种从命令行创建servicecount的方法,而不是通过透镜IDE重复的点击任务时,我回顾了这篇文章。我偶然发现了这篇文章,并采纳了原作者的想法,扩展了Kubernetes 1.24+的功能以及支持servicecount创建

#!/bin/sh

# This shell script is intended for Kubernetes clusters running 1.24+ as secrets are no longer auto-generated with serviceaccount creations
# The script does a few things: creates a serviceaccount, creates a secret for that serviceaccount (and annotates accordingly), creates a clusterrolebinding or rolebinding
# provides a kubeconfig output to the screen as well as writing to a file that can be included in the KUBECONFIG or PATH

# Feed variables to kubectl commands (modify as needed).  crb and rb can not both be true
# ------------------------------------------- #
clustername=some_cluster
name=some_user
ns=some_ns # namespace
server=https://some.server.com:6443
crb=false # clusterrolebinding
crb_name=some_binding # clusterrolebindingname_name
rb=true # rolebinding
rb_name=some_binding # rolebinding_name
# ------------------------------------------- #

# Check for existing serviceaccount first
sa_precheck=$(kubectl get sa $name -o jsonpath='{.metadata.name}' -n $ns) > /dev/null 2>&1

if [ -z "$sa_precheck" ]
then 
    kubectl create serviceaccount $name -n $ns
else
    echo "serviceacccount/"$sa_precheck" already exists"  
fi

sa_name=$(kubectl get sa $name -o jsonpath='{.metadata.name}' -n $ns)
sa_uid=$(kubectl get sa $name -o jsonpath='{.metadata.uid}' -n $ns)

# Check for existing secret/service-account-token, if one does not exist create one but do not output to external file
secret_precheck=$(kubectl get secret $sa_name-token-$sa_uid -o jsonpath='{.metadata.name}' -n $ns) > /dev/null 2>&1

if [ -z "$secret_precheck" ]
then 
    kubectl apply -f - <<EOF
    apiVersion: v1
    kind: Secret
    type: kubernetes.io/service-account-token
    metadata:
      name: $sa_name-token-$sa_uid
      namespace: $ns
      annotations:
        kubernetes.io/service-account.name: $sa_name
EOF
else
    echo "secret/"$secret_precheck" already exists"
fi

# Check for adding clusterrolebinding or rolebinding (both can not be true)
if [ "$crb" = "true" ] && [ "$rb" = "true" ] 
then
    echo "Both clusterrolebinding and rolebinding can not be true, please fix"
    exit

elif [ "$crb" = "true" ]
then
    crb_test=$(kubectl get clusterrolebinding $crb_name -o jsonpath='{.metadata.name}') > /dev/null 2>&1
    if [ "$crb_name" = "$crb_test" ]
    then
        kubectl patch clusterrolebinding $crb_name --type='json' -p='[{"op": "add", "path": "/subjects/-", "value": {"kind": "ServiceAccount", "name": '$sa_name', "namespace": '$ns' } }]'
    else
        echo "clusterrolebinding/"$crb_name" does not exist, please fix"
        exit    
    fi

elif [ "$rb" = "true" ]
then
    rb_test=$(kubectl get rolebinding $rb_name -n $ns -o jsonpath='{.metadata.name}' -n $ns) > /dev/null 2>&1
    if [ "$rb_name" = "$rb_test" ]
    then
        kubectl patch rolebinding $rb_name -n $ns --type='json' -p='[{"op": "add", "path": "/subjects/-", "value": {"kind": "ServiceAccount", "name": '$sa_name', "namespace": '$ns' } }]'
    else 
        echo "rolebinding/"$rb_name" does not exist in "$ns" namespace, please fix"
        exit
    fi
fi

# Create Kube Config and output to config file
ca=$(kubectl get secret $sa_name-token-$sa_uid -o jsonpath='{.data.ca\.crt}' -n $ns)
token=$(kubectl get secret $sa_name-token-$sa_uid -o jsonpath='{.data.token}' -n $ns | base64 --decode)

echo "
apiVersion: v1
kind: Config
clusters:
  - name: ${clustername}
    cluster:
      certificate-authority-data: ${ca}
      server: ${server}
contexts:
  - name: ${sa_name}@${clustername}
    context:
      cluster: ${clustername}
      namespace: ${ns}
      user: ${sa_name}
users:
  - name: ${sa_name}
    user:
      token: ${token}
current-context: ${sa_name}@${clustername}
" | tee $sa_name@${clustername}

相关问题