创建对指定namespace有所有权限的kube-config

    1. #!/bin/bash
    2. #
    3. # This Script based on  https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html
    4. # K8s'RBAC doc:         https://kubernetes.io/docs/reference/access-authn-authz/rbac
    5. # Gitlab'CI/CD doc:     hhttps://docs.gitlab.com/ee/user/permissions.html#running-pipelines-on-protected-branches
    6. #
    7. # In honor of the remarkable Windson
    8. BASEDIR="$(dirname "$0")"
    9. folder="$BASEDIR/kube_config"
    10. echo -e "All namespaces is here: \n$(kubectl get ns|awk 'NR!=1{print $1}')"
    11. echo "endpoint server if local network you can use $(kubectl cluster-info |awk '/Kubernetes/{print $NF}')"
    12. namespace=$1
    13. endpoint=$(echo "$2" | sed -e 's,https\?://,,g')
    14. if [[ -z "$endpoint" || -z "$namespace" ]]; then
    15.     echo "Use "$(basename "$0")" NAMESPACE ENDPOINT";
    16.     exit 1;
    17. fi
    18. if ! kubectl get ns|awk 'NR!=1{print $1}'|grep -w "$namespace";then kubectl create ns "$namespace";else echo "namespace: $namespace was exist." ;fi
    19. echo "---
    20. apiVersion: v1
    21. kind: ServiceAccount
    22. metadata:
    23.   name: $namespace-user
    24.   namespace: $namespace
    25. ---
    26. kind: Role
    27. apiVersion: rbac.authorization.k8s.io/v1beta1
    28. metadata:
    29.   name: $namespace-user-full-access
    30.   namespace: $namespace
    31. rules:
    32. - apiGroups: ['', 'extensions', 'apps', 'metrics.k8s.io']
    33.   resources: ['*']
    34.   verbs: ['*']
    35. - apiGroups: ['batch']
    36.   resources:
    37.   - jobs
    38.   - cronjobs
    39.   verbs: ['*']
    40. ---
    41. kind: RoleBinding
    42. apiVersion: rbac.authorization.k8s.io/v1beta1
    43. metadata:
    44.   name: $namespace-user-view
    45.   namespace: $namespace
    46. subjects:
    47. - kind: ServiceAccount
    48.   name: $namespace-user
    49.   namespace: $namespace
    50. roleRef:
    51.   apiGroup: rbac.authorization.k8s.io
    52.   kind: Role
    53.   name: $namespace-user-full-access
    54. ---
    55. # https://kubernetes.io/zh/docs/concepts/policy/resource-quotas/
    56. apiVersion: v1
    57. kind: ResourceQuota
    58. metadata:
    59.   name: $namespace-compute-resources
    60.   namespace: $namespace
    61. spec:
    62.   hard:
    63.     pods: "10"
    64.     services: "10"
    65.     persistentvolumeclaims: "5"
    66.     requests.cpu: "1"
    67.     requests.memory: 2Gi
    68.     limits.cpu: "2"
    69.     limits.memory: 4Gi" | kubectl apply -f -
    70. kubectl -n $namespace describe quota $namespace-compute-resources
    71. mkdir -p $folder
    72. tokenName=$(kubectl get sa $namespace-user -n $namespace -o "jsonpath={.secrets[0].name}")
    73. token=$(kubectl get secret $tokenName -n $namespace -o "jsonpath={.data.token}" | base64 --decode)
    74. certificate=$(kubectl get secret $tokenName -n $namespace -o "jsonpath={.data['ca\.crt']}")
    75. echo "apiVersion: v1
    76. kind: Config
    77. preferences: {}
    78. clusters:
    79. - cluster:
    80.     certificate-authority-data: $certificate
    81.     server: https://$endpoint
    82.   name: $namespace-cluster
    83. users:
    84. - name: $namespace-user
    85.   user:
    86.     as-user-extra: {}
    87.     client-key-data: $certificate
    88.     token: $token
    89. contexts:
    90. - context:
    91.     cluster: $namespace-cluster
    92.     namespace: $namespace
    93.     user: $namespace-user
    94.   name: $namespace
    95. current-context: $namespace" > $folder/$namespace.kube.conf