版权声明：本文为博主原创文章，遵循 CC 4.0 by-sa 版权协议，转载请附上原文出处链接和本声明。 本文链接：https://blog.csdn.net/weixin_42544826/article/details/98655387

这里是不需要存在的目录

• Creating a kubeconfig file for a self-hosted Kubernetes cluster
• Create user incubator
• Author a ServiceAccount spec
• Fetch the name of the secrets used by the serviceaccount
• Fetch the token from the secret
• Get the certificate info for the cluster
• Create a kubeconfig file
• Create RBAC.yaml
• The end

Creating a kubeconfig file for a self-hosted Kubernetes cluster

This tutorial explains how to create a kubeconfig file to authenticate to a self hosted Kubernetes cluster.

Create user incubator

useradd incubator
cd /home/incubator
mkdir .kube

Author a ServiceAccount spec

sa-incubator.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
name: sa-incubator  ##any name you'd like

执行：

kubectl create -f sa-incubator.yaml

Fetch the name of the secrets used by the serviceaccount

kubectl describe sa sa-incubator

output

Name:                sa-incubator
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   sa-incubator-token-bstl2
Tokens:              sa-incubator-token-bstl2
Events:              <none>

Note down the

Mountable secrets

infromation whcih has the name of the secret that holds the token

Fetch the token from the secret

Using the Mountable secret value,you can get the token used by the service account.Run the following command to extract this infromation.

kubectl describe secret sa-incubator-token-bstl2

output

Name:         sa-incubator-token-bstl2
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: sa-incubator
kubernetes.io/service-account.uid: c07ec304-b81b-11e9-bcf3-000c29974f23

Type:  kubernetes.io/service-account-token

Data
====
namespace:  7 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InNhLWluY3ViYXRvci10b2tlbi1ic3RsMiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJzYS1pbmN1YmF0b3IiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJjMDdlYzMwNC1iODFiLTExZTktYmNmMy0wMDBjMjk5NzRmMjMiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpzYS1pbmN1YmF0b3IifQ.IrZvA3HxH-FN76zyUUpcaDfedtnfSuTmsBTnE4s4SOY2dqG6bWrPHJcMbVbVg5NpF6tjO6WvdV3lKNoZyIeY_eJF3X1GLxeWIFbus543QbjtJWq5e9LUuPJ7gqjfjh0svphgMlbS-Jl-ZZD9S0Bvvj3nZ5St5BLIW9x25RUdKW6FkKj51lzz_TWTpP4uH_bJqdzyhONtm1i7GaDtYeQjtzX9h2imCbUgm6H7aPVaFc5qGm_u-lM5lxwyueo5N0wrZuDnI4IBlH7zXQm1eJjx22C2OJZTCxKMOZZM_YoVlMiq5n7zUqWxgx1dtu5r4L4tcMYeItWi9Mu9nOmEH0TqLA
ca.crt:     1025 bytes

This will output the token infromation that looks something like above.Note down the

token

value

Get the certificate info for the cluster

Every cluster has a certificate that clients can use to encryt traffic.Fetch the certificate and write to a file by running this command.In this case,we are using a file name cluster-cert.txt.

kubectl  config view --flatten --minify > cluster-cert.txt
cat cluster-cert.txt

output

apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNU1EWXdNekEwTVRZd00xb1hEVEk1TURVek1UQTBNVFl3TTFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBT011Ckc3ZFg2MmNyS0k4aW02em4rQnBCUDN3M2RsV2pUT3pXTDNKZmpqazZGM3pqeWpTN2RINmFuYk40SDAwME0rbDkKdWcrZ2lIcStISUxNWURXZXFsR2NuZlJSNWw2VG9EcFp2Qk1NSXdTVkc0VGcyVi94RGJhVU1yWDNMRDhNTXYwWgpjYzltVGtGdnpFdDdXaVpKY2lsTElJUVFRdFFBall1ZGRVanRoTHZlUEdQOS9pcFAzdkRHVGRkdUxSRnNHSllNClRVazlPeFc4ZS8wQ2grSCtncGpnRDJZQTRiSW91VURQdDNqaFhtclQ3b05ZdldMbDJKaGVuclFyT252Um9BMjQKSmJJa0l6NkdyOG8xRTFWaHBXR0dsWVg1Wm5nSGFuR2w4RVA4djFiYWNxN0tLRlJoQlFSVTA3aFUxWFByeVhGKwpmSC9KM1VKUUtoVmFxWjZ6dlowQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFKVkQyMFZoTGNVUFB5Nlg1SXBrd1lhbmV3ZDEKNGpmYVdTYTA2TDJYeE9SWnhIL2JCU2toQVoxTmxwZFFzQ3ZsMlBnWm1RancxWkltS0tsMnlQQWZpemVoVGNTOQpUNDBEUERkUVc3bjdsTG1IbVdkRkEwWmZYWXEzWmtzV1VCVC94TklXU0QvbDh2VTlnU3cvMytjWWtBQTFJUWUvCk96ZWJjUE96VVJvcHZCVFY1Z3ZuVnJkMXVYc3pkSnYyMXd3clFRWldpUXFzV1crUU81a1o2eWpkMG92RUR2T1gKUU1sc0xJVGE4WWlaUTI3K1hnaUl2dmFYUTZ1cTJyR2pPQUZ4N1pKR01ETEZrbU1iVEQrcmVCd0lDYTc5ZnNDZwozc3dtbk1IMUtoOTN4eHU4WklJZ05HVFZsSlRDUTROakE1UStvV1N0a1pmVXV0REM2Nk9WVjlzVWVMdz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
server: https://192.168.22.45:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4akNDQWRxZ0F3SUJBZ0lJRGNZUVFNNzd2YVF3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB4T1RBMk1ETXdOREUyTUROYUZ3MHlNREEyTURJd05ERTJNRE5hTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXA1RFBUS0w1Wlk3bWppK0MKbmxLRkRYSGlkQkd5RFljR010UGptd2VCdGNuNWVNelkzaDNyRnFnTFkzbTVhb0w1MWdBVUVxRU4rcjl1VFVyaQpyV2oxbVJtRkdwLytac2VoaDZTUENQMEJvRHN2RGNhenJzQ2c0eUlid2o3SVViRkJoL1hDUmZQbFgrQU5SNU5SCnBNYUEvdnBySCtFd1ZwT3UwVUFFZXlZOHVBamdKak9TczlHa3FLejUwRkFPMDNGeW54bTdJRkpCaDhLcWRsL2MKcE1pUGpleFJpZ0dodE15V0NqemFJM1Bad0F4eXNubG9UcFhRUnpYR05ja0o4ak54azJDb2w3bUh1RjNteVJ1WQpIblRFWk8xWHN1aG9HRlFCdkllTC9qRTJrZjhKQ1VxUldMRTdWTnNubzZGbVVZZEYyNEpYQ0phbWdKOEFGL0VkCkIrNW9td0lEQVFBQm95Y3dKVEFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFHUW8wTzAvdjFkWDFDNWIyeURpRUhxSG1Xc3FzV3RGRU9RWgp2WEVtRnhNa1h6VWUyZjErcEN2VVBrOCt0QkFQOG5SUk5JbCtrRU91Nnl4dE5xcGtHaElEUmkzUjladGRhbkZPCnlRVXB5OFlrQUJCTkJCenFVTE1kNUlpZW5rQmVnbDRkOHF0ckgxRXJXYXgrMlM0bHVibElib2E3c2RDQkRqWE0KcXBmZlJFYlI2eElielArRDdyakJxK0Vtc0VodUNwTC95azBuMEVBdUQyeUY2dVJ0QzQ5NERGbnVjc01uYXp0bQo1S0N6eUphS2FrdW1TWUNwY2VHQ3dPZmRBQUZjODJ1Z2dTb3ZFVmc1M0dTRE5uaWNZd0JuRTRIRXJtR2pVblorCjlwY2VjZWZFRytEYTI0d3lyNzBVNENOL3JJMWJsSjQvY3hhZkIvYXJXQWhIckxCeDgxbz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBcDVEUFRLTDVaWTdtamkrQ25sS0ZEWEhpZEJHeURZY0dNdFBqbXdlQnRjbjVlTXpZCjNoM3JGcWdMWTNtNWFvTDUxZ0FVRXFFTityOXVUVXJpcldqMW1SbUZHcC8rWnNlaGg2U1BDUDBCb0RzdkRjYXoKcnNDZzR5SWJ3ajdJVWJGQmgvWENSZlBsWCtBTlI1TlJwTWFBL3ZwckgrRXdWcE91MFVBRWV5WTh1QWpnSmpPUwpzOUdrcUt6NTBGQU8wM0Z5bnhtN0lGSkJoOEtxZGwvY3BNaVBqZXhSaWdHaHRNeVdDanphSTNQWndBeHlzbmxvClRwWFFSelhHTmNrSjhqTnhrMkNvbDdtSHVGM215UnVZSG5URVpPMVhzdWhvR0ZRQnZJZUwvakUya2Y4SkNVcVIKV0xFN1ZOc25vNkZtVVlkRjI0SlhDSmFtZ0o4QUYvRWRCKzVvbXdJREFRQUJBb0lCQUJ3bkxWMGY2SzBTaEZRUgpVVzNPU1lLSHh0ZGZmYjNlR01HRGJqTkc0Smt0ZFJmQnV4SWVqcmdBeGVFUnU0QlV2eXNnV2o4REJqbEIzb05uCitJdlFIYXQ2YVMyZkFmdzh3RHZzL3djd2t3eGJ4VDBZVEdvby9SOE1SUU91enJOREI5S1RETy81MldqeFdPblUKcTV2MnFnZXRCVUNXOGlzcHB1NkxSZlYyNkM2M01YRUpGU2JmL0t5a0hndm05Z3pqSFcrN2hFWFE3YWx5emZhYwpycmgzRHlvbkNtQWw5MEljTVBYMmxjTnN6ZUFnVnlUTFZ4cHhvNjY3cGhkMHdjTm5HbVIzQzBscFNBbWE4RUVlClFQVlgvRklGdEpuVitzaVU3S2UrbUpsUWx5YklaUkJTcVZ0anBNa2pJTEEwVGVTT1NRMFNZdC85RWpsMlZ4cjcKeEtLaFc5a0NnWUVBenJsN3k2SnBIQXNCaS9QWkNLWUpyeW1BQklFcDVDZ0dIaU1uRHYvc2h1bE83RVdFbUFhSgpHZnBJS1IwbG1Vb2o1ZE45ZmRrSEZmTDlsVGwxQVp3ODFjblkrTGRxT1M0bEh6dHFwdXJVaERMQ0M1YjUrVHl3Ci9mQlQ3Tjg2VjhTSUIrT0FiT003M25OYXZ1NnF2ZmdvZHlabG1qWVQ4R2VTbkVqeGlkdmF1UTBDZ1lFQXo0SFEKODlNQTVlRFJxSmJEU0pUV29mdlNIZEdDNlF4T2ViMHpoSmMzbVV2ZDVvMnhic1NHc254YS90MFlLcUdFOTJ1Vgo3RHN2SDRDR2VmYWN4bXQ0NFZBdVRHMTNxRThOYkNpUlFGb3N4MFozSDJORlFXUmxvWFhIQ2R5RFQwQnJ1MmZlCit6eC9TVWxoM1A0NUNGbDFqZmo5bGFOaW1VMTJmTDlzazhwbjdrY0NnWUVBeFhLY0wwK2NuVkJWMWRxK3ZXZjUKYi9odmNkMzhxUk1oWkwrbW1za09uWDFTQ0pJTnB6YjIxSDBkVjBlamxkb2VsM0Y5TnlxSGZndHM4WTdEbHhvbgpjUHN0NWNFcUVCdG5FWUdxeUdzYk9IbFNwY2M2VXpnSXhVTTZwZEJBNVh1dGdmdGx1cHIvbitVR0U3L2FEVUJ0ClJnRENvcHhzUnY1bUppZjFxL3IxMmpFQ2dZQUd5UWpySUNnMFhDQ2U4YWNiRlhyYk94L0l4OVFQQ003OEhocTAKS0RteU1vL2ovUmdqTmh2dGRER0ppZk5EV1pxK2VHOGpsVi9hR05yTTNDcU9ObTl5ZHF1ODVndDJubmNpNVVTeQpwUUEzMSs4SFFMakFCYWRwR3kvUis3cnplWGpNWFA0bW12alNqYXE4amplUk5WT3B1ODJXK2d1OFZaTWRTeWtpCndBaWIrd0tCZ1FDVHNURWdid1lHUkt4Tkc5WVVvZjVzWStyZG1DdlFoUTY3R0xLUFNlYkViWjkzdmpTVjZFdkkKeTNtTHUzZDhaZWJYaFJ3Ykk0d3pzWjZtWjh5UWY4S0g0allVaDJnTHl1OUhFTGg1dXQ1R004RVBKWTBDSys5ZApqTlNEWG9XVEVIS3J1NTVRanJZMDNsNFMrT3piOHRiOWVTZUFQanVydk9QaVNIUGcyWlpSS3c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

Copy two pieces of information from here

certificate-authority-data

and

server

Create a kubeconfig file

From the steps above,you should have the following pieces of information

• token

• certificate-authority-data

• server

Create a file called “config” and paste this content on to it

apiVersion: v1
kind: Config
users:
- name: sa-incubator
user:
token: <replace this with token info>
clusters:
- cluster:
certificate-authority-data: <replace this with certificate-authority-data info>
server: <replace this with server info>
name: self-hosted-cluster
contexts:
- context:
cluster: self-hosted-cluster
user: sa-incubator
name: svcs-acct-context
current-context: svcs-acct-context

Replace the placeholder above with the information gathered so far

• replace the token
• replace the certificate-authority-data
• replace the server

Create RBAC.yaml

ServerAccount is under the default namespace, but only allows the created user to access only the PO of the KUBE-system namespace, so write YAML like this

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: sa-incubator-rb
namespace: kube-system
roleRef:
apiGroup: ""
kind: Role
name: role-grantor
subjects:
- kind: ServiceAccount
name: sa-incubator
namespace: default
---

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: kube-system
name: role-grantor
rules:
- apiGroups:
- ""
resources:
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- secrets
- services/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- impersonate
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
- services/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
- statefulsets/scale
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- ingresses
- networkpolicies
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- networkpolicies
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- pods
- replicationcontrollers
- replicationcontrollers/scale
- serviceaccounts
- services
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- controllerrevisions
- daemonsets
- deployments
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
- statefulsets/scale
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/scale
- ingresses
- networkpolicies
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- get
- list
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- authorization.k8s.io
resources:
- localsubjectaccessreviews
verbs:
- create
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch

The end

There are still many unclear places,if you have any questions,please contact me on Wechat.

Wechat QR code: