生成kubernetes集群用户的kubeconfig文件并设置context。
思路
- 用集群证书和私钥生成用户证书和密钥
- 为用户创建特定的namespace
- 为用户创建角色和绑定角色
- 打印客户端kubelet context 配置命令
脚本
# usernameuser='sch'# user access namespacenamespace='sch'# path contains ca crt and ca keycapath=/etc/kubernetes/pki# seld sign crt valid durationdays=365# generate private keyopenssl genrsa -out $user.key 2048# generate csropenssl req -new -key $user.key -out $user.csr -subj "/CN=$user"# generate user crtopenssl x509 -req -in $user.csr -CA $capath/ca.crt -CAkey $capath/ca.key -CAcreateserial -out $user.crt -days $daysif [ $? -ne 0 ]; then echo "ERROR: generate user crerdentials error!" exit;fi# create kubernetes namespacekubectl create namespace $namespace# create rolecat <role.yamlkind: RoleapiVersion: rbac.authorization.k8s.io/v1beta1metadata: namespace: $namespace name: adminrules:- apiGroups: [""] resources: ["*"] verbs: ["*"]EOF# role bindingcat < role-binding.yamlkind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata: name: admin-binding namespace: $namespacesubjects:- kind: User name: $user apiGroup: ""roleRef: kind: Role name: admin apiGroup: ""EOF# kubernetes apply configkubectl apply -f role.yamlkubectl apply -f role-binding.yaml# print context config commandecho ""echo "**************************************************"echo "Follow these steps to config client"echo "1. copy $user.crt $user.key $capath/ca.crt to client"echo "2. add \"10.61.150.188 k8s.ict.ac.cn\" to client hosts"echo "3. install kubelet on client mashine:"echo "4. config kubelet context(** must int client ca file directory **):"echo ""echo "kubectl config set-credentials $user --client-certificate=$user.crt --client-key=$user.key"echo "kubectl config set-cluster kubernetes --server https://k8s.ict.ac.cn:6443 --certificate-authority=ca.crt"echo "kubectl config set-context default --user=$user --cluster=kubernetes --namespace $namespace"echo "kubectl config use-context default"