此前搭建好k8s集群后,現在准備為開發人員創建各自的context,防止公用k8s集群時誤刪他人container這種情況。
1.創建目錄,並且進入工作目錄:
mkdir -p /etc/k8s-conf.d/common mkdir -p /etc/k8s-conf.d/template cd /etc/k8s-conf.d
2.創建namespaces,如下:
kubectl create ns k8s-dev
kubectl create ns k8s-testing
k8s-dev以及k8s-testing作為公用的namespace,每個開發人員均可對k8s-dev以及k8s-testing進行操作,同時還用一個私有的namespace,名稱就以中文姓名拼音,這樣方便記憶;
可以將小組成員名字寫入到一個lists.txt文件中,然后通過腳本批量創建namespaces,比如執行如下腳本:
cat lists.txt | gawk '{print "kubectl create ns " $0}' | sh
3.創建公共的context配置文件,通過common.sh腳本,如下:
#!/bin/bash
#創建common用戶
#用戶名
USER=$1
CLUSTER=k8s-cluster
NAMESPACE=$2
prefix=/etc/k8s-conf.d
CA_PATH=/etc/kubernetes/pki
#創建私鑰並簽署
function createKey {
mkdir -p $prefix/$1
cd $prefix/$1
echo "now create use $1"
(umask 077; openssl genrsa -out $1.key 2048)
openssl req -new -key $1.key -out $1.csr -subj "/CN=$1"
openssl x509 -req -in $1.csr -CA ${CA_PATH}/ca.crt -CAkey ${CA_PATH}/ca.key -CAcreateserial -out $1.crt -days 5000
openssl x509 -in $1.crt -text -noout
}
createKey $USER
#創建用戶配置
function setCredentials {
#創建集群
kubectl config set-cluster $CLUSTER --server=https://10.254.18.2:6443 --certificate-authority=${CA_PATH}/ca.crt --embed-certs=true --kubeconfig=/etc/k8s-conf.d/common/config
#用戶配置
kubectl config set-credentials $1 --client-certificate=$1.crt --client-key=$1.key --embed-certs=true --kubeconfig=/etc/k8s-conf.d/common/config
kubectl config set-context ctx-$1 --namespace=$NAMESPACE --cluster=$CLUSTER --user=$1 --kubeconfig=/etc/k8s-conf.d/common/config
}
setCredentials $USER
運行如下腳本:
bash common.sh k8s-dev k8s-dev bash common.sh k8s-testing k8s-testing
這將會創建user為k8s-dev、k8s-testing,context為ctx-k8s-dev、ctx-k8s-testing的配置文件,寫在common目錄下config文件中,之后創建的個人用戶配置文件都會基於這個config文件進行添加。
4.創建用戶私有context,通過user.sh,如下:
#!/bin/bash ###為實驗室小組成員創建賬號 #用戶名 USER=$1 CLUSTER=k8s-cluster NAMESPACE=$1 prefix=/etc/k8s-conf.d CA_PATH=/etc/kubernetes/pki #初始化操作 function init { cp /etc/k8s-conf.d/common/config /etc/k8s-conf.d/common/$USER.conf mkdir -p $prefix/$USER cd $prefix/$USER } init #創建私鑰並簽署 function createKey { cd $prefix/$1 echo "now create use $1" (umask 077; openssl genrsa -out $1.key 2048) openssl req -new -key $1.key -out $1.csr -subj "/CN=$1" openssl x509 -req -in $1.csr -CA ${CA_PATH}/ca.crt -CAkey ${CA_PATH}/ca.key -CAcreateserial -out $1.crt -days 5000 openssl x509 -in $1.crt -text -noout } createKey $USER #創建用戶配置 function setCredentials { #創建集群 kubectl config set-cluster $CLUSTER --server=https://10.254.18.2:6443 --certificate-authority=${CA_PATH}/ca.crt --embed-certs=true --kubeconfig=/etc/k8s-conf.d/common/$1.conf #用戶配置 kubectl config set-credentials $1 --client-certificate=$1.crt --client-key=$1.key --embed-certs=true --kubeconfig=/etc/k8s-conf.d/common/$1.conf kubectl config set-context ctx-$1 --namespace=$NAMESPACE --cluster=$CLUSTER --user=$1 --kubeconfig=/etc/k8s-conf.d/common/$1.conf } setCredentials $USER
批量創建用戶如下:
cat lists.txt | gawk '{print "bash user.sh " $0}' | sh
5.根據模板,為用戶配置相關權限,模板在template目錄下
template-role.yaml文件如下:
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: template name: template-role rules: - apiGroups: ["","extensions","apps","batch","autoscaling"] resources: ["deployments","services","jobs","crontabs","daemonsets","replicasets","statefulsets","horizontalpodautoscalers","replicationcontrollers","cronjobs"] verbs: ["get","list","watch","create","update","patch","delete","exec"] - apiGroups: [""] resources: ["pods","pods/log","pods/exec","endpoints","secrets","persistentvolumeclaims","configmaps"] verbs: ["get","list","watch","create","update","patch","delete","exec"] --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: namespace: template name: k8s-template-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: template-role subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: template
template-ClusterRole.yaml如下:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: template-ClusterRole rules: - apiGroups: ["","extensions","apps","batch","autoscaling","storage.k8s.io"] resources: ["*"] verbs: ["get","list","watch"] - apiGroups: [""] resources: ["nodes"] verbs: ["patch"] --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: k8s-template-ClusterRoleBinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: template-ClusterRole subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: template
可以根據需求修改role以及clusterrole權限,通過腳本role-init.sh創建role以及clusterrole:
#!/bin/bash ##創建role clusterrole並綁定 USER=$1 prefix=/etc/k8s-conf.d function modify { cp $prefix/template/template-role.yaml $prefix/$USER cp $prefix/template/template-ClusterRole.yaml $prefix/$USER cd $prefix/$USER rm -rf $USER-role*.yaml mv template-role.yaml $USER-role.yaml mv template-ClusterRole.yaml $USER-ClusterRole.yaml sed -i "s/template/$USER/" $USER-role.yaml sed -i "s/template/$USER/" $USER-ClusterRole.yaml kubectl delete -f $USER-ClusterRole.yaml kubectl create -f $USER-ClusterRole.yaml kubectl delete -f $USER-role.yaml kubectl create -f $USER-role.yaml } modify
運行如下命令,批量創建role以及clusterrole:
cat lists.txt | gawk '{print "bash role-init.sh " $0}' | sh
其中k8s-dev 以及k8s-testing需要單獨處理,手動修改role.yaml以及ClusterRole.yaml文件然后運行kubectl create -f role.yaml 以及kubectl create -f ClusterRole.yaml即可,注意yaml文件中的namespace以及name即可。
最后,將common目錄的*.conf文件交給小組成員即可,可以將common目錄的conf后綴結尾的文件放到一個nginx下載目錄下,通過web的下載形式提供給開發人員。