rancher配置kubectl,参考https://blog.csdn.net/vah101/article/details/90789540
首先备份config
cp ~/.kube/config ~/.kube/config.bak
给新用户配置证书:
cd /etc/kubernetes/ssl
adm_account="kubernetes-admin"
kubectl create serviceaccount ${adm_account} -n kube-system
kubectl create clusterrolebinding ${adm_account} --clusterrole=cluster-admin --serviceaccount=kube-system:${adm_account}
kubectl -n kube-system describe secrets $(kubectl -n kube-system get secret | grep ${adm_account} | awk '{print $1}')
umask 077; openssl genrsa -out kubernetes-admin.key 2048
openssl req -new -key kubernetes-admin.key -out kubernetes-admin.csr -subj "/CN=kubernetes-admin"
openssl x509 -req -in kubernetes-admin.csr -CA ./kube-ca.pem -CAkey ./kube-ca-key.pem -CAcreateserial -out kubernetes-admin.crt -days 900
openssl x509 -in kubernetes-admin.crt -text -noout
kubectl config set-credentials kubernetes-admin --client-certificate=./kubernetes-admin.crt --client-key=./kubernetes-admin.key --embed-certs=true
编写权限配置文件role.yaml:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: kubernetes-admin
rules:
- apiGroups: [""]
resources: ["pods","services","pods/exec","pods/log"]
verbs: ["*"]
- apiGroups: ["extensions"]
resources: ["deployments"]
verbs: ["*"]
- apiGroups: ["apps"]
resources: ["replicasets","daemonsets","statefulsets","deployments"]
verbs: ["*"]
- apiGroups: [""]
resources: ["events","nodes","persistentvolumeclaims"]
verbs: ["*"]
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["list","watch"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["*"]
- apiGroups: [""]
resources: ["configmaps","persistentvolumeclaims","replicationcontrollers","endpoints"]
verbs: ["*"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["*"]
- apiGroups: ["batch"]
resources: ["cronjobs","jobs"]
verbs: ["*"]
- apiGroups: ["subresources.kubevirt.io"]
resources: ["virtualmachineinstances/console"]
verbs: ["*"]
- apiGroups: ["kubevirt.io"]
resources: ["virtualmachineinstances"]
verbs: ["*"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-admin
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-admin
subjects:
- kind: User
name: kubernetes-admin
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crd-admin
rules:
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["*"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["*"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["roles","clusterroles","rolebindings","clusterrolebindings"]
verbs: ["*"]
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests","certificatesigningrequests/approval","signers"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: bind-crd-admin
subjects:
- kind: User
name: kubernetes-admin
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: crd-admin
apiGroup: rbac.authorization.k8s.io
使权限生效,执行
kubectl create -f role.yaml
创建用户,注意修改服务器ip为当前集群的IP地址:
cd /etc/kubernetes/ssl/
kubectl config set-cluster kubernetes-admin --certificate-authority=kube-ca.pem --server=https://192.168.0.100:6443
kubectl config set-credentials kubernetes-admin --client-certificate=./kubernetes-admin.crt --client-key=./kubernetes-admin.key
kubectl config set-context kubernetes-admin --cluster=local --user=kubernetes-admin
kubectl config use-context kubernetes-admin
最后,将/root/.kube/config改为,注意修改服务器ip为当前集群的IP地址:
apiVersion: v1
clusters:
- cluster:
certificate-authority: /etc/kubernetes/ssl/kube-ca.pem
server: https://192.168.0.100:6443
name: local
contexts:
- context:
cluster: local
user: kubernetes-admin
name: kubernetes-admin@local
current-context: kubernetes-admin@local
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate: /etc/kubernetes/ssl/kubernetes-admin.crt
client-key: /etc/kubernetes/ssl/kubernetes-admin.key