此前搭建好k8s集群后,现在准备为开发人员创建各自的context,防止公用k8s集群时误删他人container这种情况。

1.创建目录,并且进入工作目录:

  1. mkdir -p /data/k8s-conf.d/common
  2. mkdir -p /data/k8s-conf.d/template
  3. cd /data/k8s-conf.d

2.创建namespaces,如下:(如果环境中有现有的namespace,则不要创建)

  1. kubectl create ns app-dev
  2. kubectl create ns app-testing

app-dev以及app-testing作为公用的namespace,每个开发人员均可对app-dev以及app-testing进行操作,同时还用一个私有的namespace,名称就以中文姓名拼音,这样方便记忆;

可以将小组成员名字写入到一个lists.txt文件中,然后通过脚本批量创建namespaces,比如执行如下脚本:

  1. cat lists.txt | gawk '{print "kubectl create ns " $0}' | sh

3.创建公共的context配置文件,通过create_user_context.sh脚本,如下:

  1. #!/bin/bash
  3. #创建一个用户
  4. #用户名
  5. USER=$1
  6. CLUSTER=k8s-cluster
  7. NAMESPACE=$2
  8. SERVER_ADDR="https://172.17.50.57:6443"
  10. prefix=/data/k8s-conf.d
  11. CA_PATH=/etc/kubernetes/pki
  13. #创建私钥并签署
  14. function createKey {
  16.   mkdir -p $prefix/$1
  17.   cd $prefix/$1
  18.   echo "now create use $1"
  19.   (umask 077; openssl genrsa -out $1.key 2048)
  20.   openssl req -new -key $1.key -out $1.csr -subj "/CN=$1"
  21.   openssl x509 -req -in $1.csr -CA ${CA_PATH}/ca.crt -CAkey ${CA_PATH}/ca.key -CAcreateserial -out $1.crt -days 5000
  22.   openssl x509 -in $1.crt -text -noout
  23. }
  25. createKey $USER
  26. echo "0000create key complete000"
  28. #创建用户配置
  29. function setCredentials {
  30.   #创建集群
  31.   echo "----设置集群参数----"
  32.   kubectl config set-cluster $CLUSTER  --server=$SERVER_ADDR --certificate-authority=${CA_PATH}/ca.crt --embed-certs=true --kubeconfig=$prefix/common/config 
  33. echo "----设置客户端认证参数----"
  34.   #用户配置
  35.   kubectl config set-credentials $1 --client-certificate=$prefix/$1/$1.crt --client-key=$prefix/$1/$1.key --embed-certs=true --kubeconfig=$prefix/common/config
  36. echo "----设置上下文参数----"
  37.   kubectl config set-context ctx-$1  --namespace=$NAMESPACE --cluster=$CLUSTER --user=$1 --kubeconfig=$prefix/common/config
  38. echo "---config set-context---"
  39. }
  41. setCredentials $USER

运行如下脚本:

bash create_user_context.sh app-dev app-dev
bash create_user_context.sh app-testing app-testing

这将会创建user为app-dev、app-testing,context为ctx-app-dev、ctx-app-testing的配置文件,写在common目录下config文件中,之后创建的个人用户配置文件都会基于这个config文件进行添加。

# 设置默认上下文
kubectl config use-context ctx-app-dev --kubeconfig=/data/k8s-conf.d/common/config

我们现在查看 kubectl 的 context:

[root@ch-k8s7 .kube]# kubectl config get-contexts --kubeconfig=/data/k8s-conf.d/common/config  
CURRENT   NAME          CLUSTER       AUTHINFO   NAMESPACE
*         ctx-app-dev   k8s-cluster   app-dev    app-dev
          ctx-common    k8s-cluster   common     common

RoleBinding

如果我们想限制 devuser 用户的行为,需要使用 RBAC创建角色绑定以将该用户的行为限制在某个或某几个 namespace 空间范围内,例如:
创建yaml文件,根据下面模版文件创建

[root@ch-k8s7 app-dev]# cat  app-dev-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: app-dev
  name: app-dev-role
rules:
- apiGroups: ["","extensions","apps","batch","autoscaling"]
  resources: ["deployments","services","jobs","crontabs","daemonsets","replicasets","statefulsets","horizontalpodautoscalers","replicationcontrollers","cronjobs"]
  verbs: ["get","list","watch","create","update","patch","delete","exec"]
- apiGroups: [""]
  resources: ["pods","pods/log","pods/exec","endpoints","secrets","persistentvolumeclaims","configmaps"]
  verbs: ["get","list","watch","create","update","patch","delete","exec"]

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  namespace: app-dev
  name: k8s-app-dev-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: app-dev-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: app-dev

[root@ch-k8s7 app-dev]# cat common-role.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: common 
  name: app-dev-role
rules:
- apiGroups: ["","extensions","apps","batch","autoscaling"]
  resources: ["deployments","services","jobs","crontabs","daemonsets","replicasets","statefulsets","horizontalpodautoscalers","replicationcontrollers","cronjobs"]
  verbs: ["get","list","watch","create","update","patch","delete","exec"]
- apiGroups: [""]
  resources: ["pods","pods/log","pods/exec","endpoints","secrets","persistentvolumeclaims","configmaps"]
  verbs: ["get","list","watch","create","update","patch","delete","exec"]

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  namespace: common
  name: k8s-app-dev-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: app-dev-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: app-dev

或者命令创建

kubectl create rolebinding k8s-app-dev-rolebinding --clusterrole=admin --user=app-dev --namespace=app-dev
kubectl create rolebinding k8s-app-dev-rolebinding --clusterrole=admin --user=app-dev --namespace=app-test

这样app-dev 用户对 app-dev 和 app-test 两个 namespace 具有完全访问权限。

4.创建用户私有context,通过user.sh,如下:

#!/bin/bash

###为实验室小组成员创建账号

#用户名
USER=$1
CLUSTER=k8s-cluster
NAMESPACE=$1
SERVER_ADDR="https://172.17.50.57:6443"

prefix=/data/k8s-conf.d
CA_PATH=/etc/kubernetes/pki

#初始化操作
function init {
  cp $prefix/common/config $prefix/common/$USER.conf
  mkdir -p $prefix/$USER
  cd $prefix/$USER

}

init

#创建私钥并签署
function createKey {

  cd $prefix/$1
  echo "now create use $1"
  (umask 077; openssl genrsa -out $1.key 2048)
  openssl req -new -key $1.key -out $1.csr -subj "/CN=$1"
  openssl x509 -req -in $1.csr -CA ${CA_PATH}/ca.crt -CAkey ${CA_PATH}/ca.key -CAcreateserial -out $1.crt -days 5000
  openssl x509 -in $1.crt -text -noout
}

createKey $USER

#创建用户配置
function setCredentials {
  #创建集群
  kubectl config set-cluster $CLUSTER  --server=$SERVER_ADDR --certificate-authority=${CA_PATH}/ca.crt --embed-certs=true --kubeconfig=$prefix/common/$1.conf 
  #用户配置
  kubectl config set-credentials $1 --client-certificate=$prefix/$1/$1.crt --client-key=$prefix/$1/$1.key --embed-certs=true --kubeconfig=$prefix/common/$1.conf
  kubectl config set-context ctx-$1  --namespace=$NAMESPACE --cluster=$CLUSTER --user=$1 --kubeconfig=$prefix/common/$1.conf
}

setCredentials $USER

批量创建用户如下:

cat lists.txt | gawk '{print "bash user.sh " $0}' | sh

5.根据模板,为用户配置相关权限,模板在template目录下
template-role.yaml文件如下:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: template
  name: template-role
rules:
- apiGroups: ["","extensions","apps","batch","autoscaling"]
  resources: ["deployments","services","jobs","crontabs","daemonsets","replicasets","statefulsets","horizontalpodautoscalers","replicationcontrollers","cronjobs"]
  verbs: ["get","list","watch","create","update","patch","delete","exec"]
- apiGroups: [""]
  resources: ["pods","pods/log","pods/exec","endpoints","secrets","persistentvolumeclaims","configmaps"]
  verbs: ["get","list","watch","create","update","patch","delete","exec"]

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  namespace: template
  name: k8s-template-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: template-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: template

template-ClusterRole.yaml如下:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: template-ClusterRole
rules:
- apiGroups: ["","extensions","apps","batch","autoscaling","storage.k8s.io"]
  resources: ["*"] 
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["nodes"] 
  verbs: ["patch"]

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: k8s-template-ClusterRoleBinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: template-ClusterRole
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: template

可以根据需求修改role以及clusterrole权限,通过脚本role-init.sh创建role以及clusterrole:

#!/bin/bash
##创建role clusterrole并绑定

USER=$1
prefix=/etc/k8s-conf.d

function modify {
  cp $prefix/template/template-role.yaml $prefix/$USER
  cp $prefix/template/template-ClusterRole.yaml $prefix/$USER
  cd $prefix/$USER
  rm -rf $USER-role*.yaml
  mv template-role.yaml $USER-role.yaml
  mv template-ClusterRole.yaml $USER-ClusterRole.yaml
  sed -i "s/template/$USER/" $USER-role.yaml
  sed -i "s/template/$USER/" $USER-ClusterRole.yaml
  kubectl delete -f $USER-ClusterRole.yaml
  kubectl create -f $USER-ClusterRole.yaml
  kubectl delete -f $USER-role.yaml
  kubectl create -f $USER-role.yaml
}

modify

运行如下命令,批量创建role以及clusterrole:

cat lists.txt | gawk '{print "bash role-init.sh " $0}' | sh

其中app-dev 以及app-testing需要单独处理,手动修改role.yaml以及ClusterRole.yaml文件然后运行kubectl create -f role.yaml 以及kubectl create -f ClusterRole.yaml即可,注意yaml文件中的namespace以及name即可。

最后,将common目录的*.conf文件交给小组成员即可。

https://jimmysong.io/kubernetes-handbook/guide/kubectl-user-authentication-authorization.html
https://www.cnblogs.com/tiny1987/p/12018080.html