Created
April 23, 2018 09:18
-
-
Save ydp/a68cc4c5d3aa6d73a8e97d293f2da4a2 to your computer and use it in GitHub Desktop.
创建k8s的namespace和sa,并分配给单独的pod权限
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| ns=$1 | |
| sa=$ns | |
| API_SERVER="https://10.87.52.188:6443" | |
| kubectl create ns $ns | |
| kubectl -n $ns create sa $sa | |
| SECRET=$(kubectl -n $ns get sa $sa -o go-template='{{range .secrets}}{{.name}}{{end}}') | |
| CA_CERT=$(kubectl -n $ns get secret ${SECRET} -o yaml | awk '/ca.crt:/{print $2}') | |
| cat <<EOF > ${ns}.conf | |
| apiVersion: v1 | |
| kind: Config | |
| clusters: | |
| - cluster: | |
| certificate-authority-data: $CA_CERT | |
| server: $API_SERVER | |
| name: cluster | |
| EOF | |
| TOKEN=$(kubectl -n $ns get secret ${SECRET} -o go-template='{{.data.token}}') | |
| kubectl config set-credentials ${ns}-user --token=`echo ${TOKEN} | base64 -d` --kubeconfig=${ns}.conf | |
| kubectl config set-context default --cluster=cluster --user=${ns}-user --kubeconfig=${ns}.conf | |
| kubectl config use-context default --kubeconfig=${ns}.conf | |
| cat <<EOF > ${ns}-user-role.yml | |
| kind: Role | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| namespace: ${ns} | |
| name: ${ns}-user-pod | |
| rules: | |
| - apiGroups: [""] | |
| resources: ["pods", "pods/log"] | |
| verbs: ["get", "list"] | |
| - apiGroups: [""] | |
| resources: ["pods/exec"] | |
| verbs: ["create"] | |
| EOF | |
| kubectl create -f ${ns}-user-role.yml | |
| kubectl create rolebinding ${ns}-view-pod --role=${ns}-user-pod --serviceaccount=${ns}:${ns} --namespace=${ns} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
参考了
https://kairen.github.io/2018/01/08/kubernetes/rbac-sa-kubectl/
测试: