装置kubectl

文档:kubernetes.io/docs/tasks/…

Mac装置:

curl -LO "https://dl.k8s.io/release/v1.29.1/bin/darwin/arm64/kubectl"
chmod  x ./kubectl
sudo mv ./kubectl /usr/local/bin/kubectl
kubectl version --client --output=yaml

Centos装置:

#  添加kubernetes yum源,注意修改版别好
cat <<EOF | tee /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes-new/core/stable/v1.29/rpm/
enabled=1
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes-new/core/stable/v1.29/rpm/repodata/repomd.xml.key
EOF

# 装置指定版别
yum install -y kubectl-1.29.1

# 设置 kubectl 自动补全功用
yum install -y bash-completion
kubectl completion bash > /etc/bash_completion.d/kubectl
source /etc/bash_completion.d/kubectl

Kubernetes 账号介绍

Kubernetes中账户区分为:User Accounts(用户账户) 和 Service Accounts(服务账户) 两种:

  • UserAccount是给kubernetes集群外部用户运用的,例如运维或许集群管理人员,运用kubectl指令时用的便是UserAccount账户;UserAccount是全局性。在集群一切namespaces中,名称具有唯一性,默许情况下用户为admin;
  • ServiceAccount是给运行在Pod的程序运用的身份认证,Pod容器的进程需要访问API Server时用的便是ServiceAccount账户;ServiceAccount仅限制它所在的namespace,每个namespace都会自动创立一个default service account;创立Pod时,假如没有指定Service Account,Pod则会运用default Service Account。

生成kubeconfig(X509客户端证书方式)

装备ClusterConfiguration文件,用于kubeadm生成kubeconfig

apiVersion: kubeadm.k8s.io/v1beta3
kind: ClusterConfiguration
# kubernetes 将作为 kubeconfig 中集群名称
clusterName: "kubernetes"
# 集群 kubeconfig 文件中服务地址(IP 或许 DNS 名称)
controlPlaneEndpoint: "47.107.131.191:6443"
# 从本地挂载集群的 CA 秘钥和 CA 证书
certificatesDir: "/etc/kubernetes/pki"

装备能够运用指令获得:

kubectl -n kube-system get configmaps kubeadm-config -o yaml

超级用户

system:masters组授权了cluster-admin角色,答应超级用户在平台上的任何资源上执行一切操作

kubeadm kubeconfig user --config cluster-configuration.yaml --org system:masters --client-name <username> --validity-period 24h > <username>.kubeconfig

集群管理员用户

1. 创立ClusterRoleBinding

颁发了admin集群角色

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: <username>

2. 创立kubeconfig

kubeadm kubeconfig user --config cluster-configuration.yaml --client-name <username> --validity-period 24h > <username>.kubeconfig

普通集群用户

1. 创立ClusterRoleBinding

这儿只颁发集群的查看权限的角色

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-view
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: <username>

2. 创立kubeconfig

kubeadm kubeconfig user --config cluster-configuration.yaml --client-name <username> --validity-period 24h > <username>.kubeconfig

普通用户

1. 创立Role和RoleBinding

只在指定的命名空间下授权权限

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: <roleName>
  namespace: <namespace>
rules:
  - apiGroups:
      - '*'
    resources:
      - '*'
    verbs:
      - get
      - watch
      - list
      - create
      - update
      - patch
      - delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: <roleBindingName>
  namespace: <namespace>
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: <roleName>
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: <username>

2. 创立kubeconfig

kubeadm kubeconfig user --config cluster-configuration.yaml --client-name <username> --validity-period 24h > <username>.kubeconfig

ServiceAccount Token

运用指令生成ServiceAccount的Token

kubectl create token <serviceAccountName> -n <namespace>

token也能够用于kubeconfig的认证装备,如:

apiVersion: v1
kind: Config
clusters:
- name: kubernetes
  cluster:
    server: xxxx:6443
    certificate-authority-data: xxxxxx
users:
- name: xxx
  user:
    token: <token>
contexts:
- name: xxx@kubernetes
  context:
    user: xxx
    cluster: kubernetes
current-context: "xxx@kubernetes"

验证kubeconfig

能够挑选以下恣意方式

一、运用KUBECONFIG环境变量

KUBECONFIG 环境变量包括一个 kubeconfig 文件列表。 对于 Linux 和 Mac,此列表以英文冒号分隔。对于 Windows,此列表以英文分号分隔。 KUBECONFIG 环境变量不是必需的。 假如 KUBECONFIG 环境变量不存在,kubectl 将运用默许的 kubeconfig 文件:$HOME/.kube/config。

假如 KUBECONFIG 环境变量存在,kubectl 将运用 KUBECONFIG 环境变量中列举的文件合并后的有效装备

kubectl cluster-info

二、运用默许路径

将kubeconfig文件内容复制到 $HOME/.kube/config文件中。

kubectl cluster-info

三、运用–kubeconfig参数指定文件

kubectl cluster-info --kubeconfig ./xxx.kubeconfig

多集群装备能够运用 kubectl config use-context xxx进行切换

相关链接:

kubernetes.io/zh-cn/docs/…

kubernetes.io/zh-cn/docs/…

developer.aliyun.com/mirror/kube…

blog.csdn.net/fushan2012/…

www.cnblogs.com/orchidzjl/p…