本文基于kubernetes1.28版本,分配研发使用只读kubeconfig账号,用kubectl查看pod信息等。
创建kubeconfig 文件。
前置条件
#创建sa
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: cluster-readonly-sa
namespace: default
---
#创建sa的 secret
apiVersion: v1
kind: Secret
metadata:
name: cluster-readonly-sa-token
namespace: default
annotations:
kubernetes.io/service-account.name: "cluster-readonly-sa"
type: kubernetes.io/service-account-token
---
# 创建 clusterrole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-readonly
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
- exec
- nonResourceURLs:
- '*'
verbs:
- GET
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
---
# 创建 clusterrolebinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-readonly-rb
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-readonly
subjects:
- kind: ServiceAccount
name: cluster-readonly-sa
namespace: default
获取token:
# 获取sa 的 token
# kubectl get secret cluster-readonly-sa-token -o=jsonpath='{.data.token}'| base64 --decode
基于上述信息, 替换标红处字段,生成 kubeconfig 。