forked from docs/doc-exports
Dong, Qiu Jian
86fb05065f
Reviewed-by: Eotvos, Oliver <oliver.eotvos@t-systems.com> Co-authored-by: Dong, Qiu Jian <qiujiandong1@huawei.com> Co-committed-by: Dong, Qiu Jian <qiujiandong1@huawei.com>
117 lines
16 KiB
HTML
117 lines
16 KiB
HTML
<a name="cce_bestpractice_00221"></a><a name="cce_bestpractice_00221"></a>
|
|
|
|
<h1 class="topictitle1">Configuring kubeconfig for Fine-Grained Management on Cluster Resources</h1>
|
|
<div id="body8662426"><div class="section" id="cce_bestpractice_00221__en-us_topic_0235296162_section185876017314"><h4 class="sectiontitle">Application Scenarios</h4><p id="cce_bestpractice_00221__en-us_topic_0235296162_p1129761834">By default, the kubeconfig file provided by CCE for users has permissions bound to the <strong id="cce_bestpractice_00221__en-us_topic_0235296162_b1076319143710">cluster-admin</strong> role, which are equivalent to the permissions of user <strong id="cce_bestpractice_00221__en-us_topic_0235296162_b1417272019388">root</strong>. It is difficult to implement refined management on users with such permissions.</p>
|
|
</div>
|
|
<div class="section" id="cce_bestpractice_00221__en-us_topic_0235296162_section483710529313"><h4 class="sectiontitle">Purpose</h4><p id="cce_bestpractice_00221__en-us_topic_0235296162_p6254145715317">Cluster resources are managed in a refined manner so that specific users have only certain permissions (such as adding, querying, and modifying resources).</p>
|
|
</div>
|
|
<div class="section" id="cce_bestpractice_00221__section15818155714583"><h4 class="sectiontitle">Precautions</h4><p id="cce_bestpractice_00221__p11442468477">Ensure that kubectl is available on your host. If not, download it from <a href="https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/README.md" target="_blank" rel="noopener noreferrer">here</a> (corresponding to the cluster version or the latest version).</p>
|
|
</div>
|
|
<div class="section" id="cce_bestpractice_00221__en-us_topic_0235296162_section0534114511224"><h4 class="sectiontitle">Configuration Method</h4><div class="note" id="cce_bestpractice_00221__note1477115617137"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="cce_bestpractice_00221__p377119651316">In the following example, only pods and Deployments in the <strong id="cce_bestpractice_00221__b7947326248">test</strong> space can be viewed and added, and they cannot be deleted.</p>
|
|
</div></div>
|
|
<ol id="cce_bestpractice_00221__en-us_topic_0235296162_ol2045310117246"><li id="cce_bestpractice_00221__en-us_topic_0235296162_li1145313111245"><span>Set the service account name to <strong id="cce_bestpractice_00221__b10998615853">my-sa</strong> and namespace to <strong id="cce_bestpractice_00221__b172610191512">test</strong>.</span><p><pre class="screen" id="cce_bestpractice_00221__screen3385123214588">kubectl create sa<strong id="cce_bestpractice_00221__b738763215581"> my-sa</strong> -n <strong id="cce_bestpractice_00221__b438733245813">test</strong></pre>
|
|
<p id="cce_bestpractice_00221__p58791833142216"><span><img id="cce_bestpractice_00221__image11792172214323" src="en-us_image_0000001897904561.png"></span></p>
|
|
</p></li><li id="cce_bestpractice_00221__en-us_topic_0235296162_li1113514136241"><span>Configure the role table and assign operation permissions to different resources.</span><p><pre class="screen" id="cce_bestpractice_00221__screen77219314593">vi<strong id="cce_bestpractice_00221__b19722232592"> </strong><strong id="cce_bestpractice_00221__b6722131599">role-test.yaml</strong></pre>
|
|
<div class="p" id="cce_bestpractice_00221__p186825218585">The content is as follows:<div class="note" id="cce_bestpractice_00221__note244018041217"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="cce_bestpractice_00221__p144401904127">In this example, the permission rules include the read-only permission (get/list/watch) of pods in the <strong id="cce_bestpractice_00221__b69017192266">test</strong> namespace, and the read (get/list/watch) and create permissions of deployments.</p>
|
|
</div></div>
|
|
<pre class="screen" id="cce_bestpractice_00221__screen350115832310">apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: myrole
|
|
namespace: <strong id="cce_bestpractice_00221__b2534014610">test</strong>
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- pods
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- apps
|
|
resources:
|
|
- pods
|
|
- deployments
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- create</pre>
|
|
</div>
|
|
<p id="cce_bestpractice_00221__p3294161035914">Create a Role.</p>
|
|
<pre class="screen" id="cce_bestpractice_00221__screen137421928195913">kubectl create -f <strong id="cce_bestpractice_00221__b574412825916">role-test.yaml</strong></pre>
|
|
<p id="cce_bestpractice_00221__p1650188202314"><span><img id="cce_bestpractice_00221__image12591847170" src="en-us_image_0000001898024113.png"></span></p>
|
|
</p></li><li id="cce_bestpractice_00221__en-us_topic_0235296162_li101557118243"><span>Create a RoleBinding and bind the service account to the role so that the user can obtain the corresponding permissions.</span><p><pre class="screen" id="cce_bestpractice_00221__screen2012334716596">vi <strong id="cce_bestpractice_00221__b17124847125915">myrolebinding.yaml</strong></pre>
|
|
<div class="p" id="cce_bestpractice_00221__p1435133885916">The content is as follows:<pre class="screen" id="cce_bestpractice_00221__screen13412026131810">apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: myrolebinding
|
|
namespace: <strong id="cce_bestpractice_00221__b2383124517505">test</strong>
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: myrole
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: <strong id="cce_bestpractice_00221__b26141715816">my-sa</strong>
|
|
namespace: <strong id="cce_bestpractice_00221__b444934205019">test</strong></pre>
|
|
</div>
|
|
<p id="cce_bestpractice_00221__p177586527592">Create a RoleBinding.</p>
|
|
<pre class="screen" id="cce_bestpractice_00221__screen10175129603">kubectl create -f <strong id="cce_bestpractice_00221__b1917612913013">myrolebinding.yaml</strong></pre>
|
|
<p id="cce_bestpractice_00221__p18412226191812"><span><img id="cce_bestpractice_00221__image1464615881920" src="en-us_image_0000001851585188.png"></span></p>
|
|
<p id="cce_bestpractice_00221__p34122026131812">The user information is configured. Now perform <a href="#cce_bestpractice_00221__en-us_topic_0235296162_li756812692518">5</a> to <a href="#cce_bestpractice_00221__en-us_topic_0235296162_li147965421277">7</a> to write the user information to the configuration file.</p>
|
|
</p></li><li id="cce_bestpractice_00221__li1391034015537"><span>Manually create a token that is valid for a long time for ServiceAccount.</span><p><pre class="screen" id="cce_bestpractice_00221__screen237826135815">vi <strong id="cce_bestpractice_00221__b13371261582">my-sa-token.yaml</strong></pre>
|
|
<div class="p" id="cce_bestpractice_00221__p163714263583">The content is as follows:<pre class="screen" id="cce_bestpractice_00221__screen8210104520536">apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: my-sa-token-secret
|
|
namespace: <strong id="cce_bestpractice_00221__b17675549155514">test</strong>
|
|
annotations:
|
|
kubernetes.io/service-account.name: my-sa
|
|
type: kubernetes.io/service-account-token</pre>
|
|
</div>
|
|
<p id="cce_bestpractice_00221__p83792665813">Create a token:</p>
|
|
<pre class="screen" id="cce_bestpractice_00221__screen103762615816">kubectl create -f <strong id="cce_bestpractice_00221__b113717263589">my-sa-token.yaml</strong></pre>
|
|
</p></li><li id="cce_bestpractice_00221__en-us_topic_0235296162_li756812692518"><a name="cce_bestpractice_00221__en-us_topic_0235296162_li756812692518"></a><a name="en-us_topic_0235296162_li756812692518"></a><span>Configure the cluster information.</span><p><ol type="a" id="cce_bestpractice_00221__ol1974954334911"><li id="cce_bestpractice_00221__li37498433499">Decrypt the <strong id="cce_bestpractice_00221__b26491452191017">ca.crt</strong> file in the secret and export it.</li></ol>
|
|
<pre class="screen" id="cce_bestpractice_00221__screen84648161702">kubectl get secret<em id="cce_bestpractice_00221__i174652016206"> </em><strong id="cce_bestpractice_00221__b13583444025">my-sa-token-secret</strong> -n <strong id="cce_bestpractice_00221__b10465131611019">test</strong> -oyaml |grep ca.crt: | awk '{print $2}' |base64 -d > /home/ca.crt</pre>
|
|
<ol type="a" start="2" id="cce_bestpractice_00221__ol34941555134914"><li id="cce_bestpractice_00221__li15494115519498">Set a cluster access mode. <strong id="cce_bestpractice_00221__b1535719294563">test-arm</strong> specifies the cluster to be accessed. <strong id="cce_bestpractice_00221__b1339863716307">https://192.168.0.110:5443</strong> specifies the apiserver IP address of the cluster. <strong id="cce_bestpractice_00221__b467616321309">/home/test.config</strong> specifies the path for storing the configuration file.<ul id="cce_bestpractice_00221__ul539175734216"><li id="cce_bestpractice_00221__li2391157154212">If the internal API server address is used, run the following command:<pre class="screen" id="cce_bestpractice_00221__screen457817264011">kubectl config set-cluster <strong id="cce_bestpractice_00221__b1757918261906">test-arm</strong><strong id="cce_bestpractice_00221__b155791626208"> </strong>--server=https://192.168.0.110:5443 --certificate-authority=/home/ca.crt --embed-certs=true --kubeconfig=<strong id="cce_bestpractice_00221__b55798261109">/home/test.config</strong></pre>
|
|
</li><li id="cce_bestpractice_00221__li43935734215">If the public API server address is used, run the following command:<pre class="screen" id="cce_bestpractice_00221__screen18919308011">kubectl config set-cluster <strong id="cce_bestpractice_00221__b121014301401">test-arm</strong> --server=https://192.168.0.110:5443 --kubeconfig=<strong id="cce_bestpractice_00221__b1010163016011">/home/test.config</strong> --insecure-skip-tls-verify=true</pre>
|
|
</li></ul>
|
|
<p id="cce_bestpractice_00221__p192194944412"><span><img id="cce_bestpractice_00221__image5359624124416" src="en-us_image_0000001851743900.png"></span></p>
|
|
</li></ol>
|
|
<div class="note" id="cce_bestpractice_00221__note146571654173913"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="cce_bestpractice_00221__p9657554173917">If you <strong id="cce_bestpractice_00221__b6256121121412">perform operations on a node in the cluster</strong> or <strong id="cce_bestpractice_00221__b1973925721412">the node that uses the configuration is a cluster node</strong>, do not set the path of kubeconfig to <strong id="cce_bestpractice_00221__b192521822101614">/root/.kube/config</strong>.</p>
|
|
</div></div>
|
|
<p id="cce_bestpractice_00221__p95821828546">By default, the apiserver IP address of the cluster is a private IP address. After an EIP is bound, you can use the public network IP address to access the apiserver.</p>
|
|
</p></li><li id="cce_bestpractice_00221__en-us_topic_0235296162_li1295817892413"><span>Configure the cluster authentication information.</span><p><ol type="a" id="cce_bestpractice_00221__ol34521145553"><li id="cce_bestpractice_00221__li2045241410553">Obtain the cluster token. (If the token is obtained in GET mode, run <strong id="cce_bestpractice_00221__b12410114433714">based64 -d</strong> to decode the token.)</li></ol>
|
|
<pre class="screen" id="cce_bestpractice_00221__screen112297351101">token=$(kubectl describe secret <strong id="cce_bestpractice_00221__b52302351012">my-sa-token-secret</strong> -n <strong id="cce_bestpractice_00221__b823012352002">test</strong> | awk '/token:/{print $2}')</pre>
|
|
<ol type="a" start="2" id="cce_bestpractice_00221__ol181156405614"><li id="cce_bestpractice_00221__li151151416567">Set the cluster user <strong id="cce_bestpractice_00221__b126543396263">ui-admin</strong>.</li></ol>
|
|
<pre class="screen" id="cce_bestpractice_00221__screen875133819019">kubectl config set-credentials <strong id="cce_bestpractice_00221__b187615383012">ui-admin</strong> --token=$token --kubeconfig=<strong id="cce_bestpractice_00221__b47613387015">/home/test.config</strong></pre>
|
|
<p id="cce_bestpractice_00221__p8115181534911"><span><img id="cce_bestpractice_00221__image177931727185917" src="en-us_image_0000001851585156.png"></span></p>
|
|
</p></li><li id="cce_bestpractice_00221__en-us_topic_0235296162_li147965421277"><a name="cce_bestpractice_00221__en-us_topic_0235296162_li147965421277"></a><a name="en-us_topic_0235296162_li147965421277"></a><span>Configure the context information for cluster authentication access. <strong id="cce_bestpractice_00221__b93961444013">ui-admin@test</strong> specifies the context name.</span><p><pre class="screen" id="cce_bestpractice_00221__screen10880943107">kubectl config set-context <strong id="cce_bestpractice_00221__b148828439011">ui-admin@test</strong> --cluster=<strong id="cce_bestpractice_00221__b10882154317012">test-arm </strong>--user=<strong id="cce_bestpractice_00221__b1688216431004">ui-admin </strong>--kubeconfig=<strong id="cce_bestpractice_00221__b1488264315016">/home/test.config</strong></pre>
|
|
<p id="cce_bestpractice_00221__p830220399581"><span><img id="cce_bestpractice_00221__image18484456125914" src="en-us_image_0000001851743916.png"></span></p>
|
|
</p></li><li id="cce_bestpractice_00221__en-us_topic_0235296162_li1088912408273"><a name="cce_bestpractice_00221__en-us_topic_0235296162_li1088912408273"></a><a name="en-us_topic_0235296162_li1088912408273"></a><span>Configure the context. For details about how to use the context, see <a href="#cce_bestpractice_00221__en-us_topic_0235296162_section14884146153319">Verification</a>.</span><p><pre class="screen" id="cce_bestpractice_00221__screen7591114617014">kubectl config use-context <strong id="cce_bestpractice_00221__b1359311468020">ui-admin@test</strong> --kubeconfig=<strong id="cce_bestpractice_00221__b559315464018">/home/test.config</strong></pre>
|
|
<p id="cce_bestpractice_00221__p104992811208"><span><img id="cce_bestpractice_00221__image55073531019" src="en-us_image_0000001851743884.png"></span></p>
|
|
<div class="note" id="cce_bestpractice_00221__note169312501578"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="cce_bestpractice_00221__p1369345012720">If you want to assign other users the above permissions to perform operations on the cluster, provide the generated configuration file <strong id="cce_bestpractice_00221__b1113921543120">/home/test.config</strong> to the user after performing step <a href="#cce_bestpractice_00221__en-us_topic_0235296162_li147965421277">7</a>. The user must ensure that the host can access the API server address of the cluster. When performing step <a href="#cce_bestpractice_00221__en-us_topic_0235296162_li1088912408273">8</a> on the host and using kubectl, the user must set the kubeconfig parameter to the path of the configuration file.</p>
|
|
</div></div>
|
|
</p></li></ol>
|
|
</div>
|
|
<div class="section" id="cce_bestpractice_00221__en-us_topic_0235296162_section14884146153319"><a name="cce_bestpractice_00221__en-us_topic_0235296162_section14884146153319"></a><a name="en-us_topic_0235296162_section14884146153319"></a><h4 class="sectiontitle">Verification</h4><ol id="cce_bestpractice_00221__en-us_topic_0235296162_ol69545202346"><li id="cce_bestpractice_00221__en-us_topic_0235296162_li295482023415">Pods in the <strong id="cce_bestpractice_00221__b19621154553312">test</strong> namespace cannot access pods in other namespaces.<pre class="screen" id="cce_bestpractice_00221__screen107671651801">kubectl get pod -n <strong id="cce_bestpractice_00221__b18768175111014">test</strong> --kubeconfig=<strong id="cce_bestpractice_00221__b1276812511006">/home/test.config</strong></pre>
|
|
<p id="cce_bestpractice_00221__p91060454413"><span><img id="cce_bestpractice_00221__image71062451941" src="en-us_image_0000001851585200.png"></span></p>
|
|
</li><li id="cce_bestpractice_00221__en-us_topic_0235296162_li6151024103414">Pods in the <strong id="cce_bestpractice_00221__b15620212365">test</strong> namespace cannot be deleted.<p id="cce_bestpractice_00221__p220105212163"><span><img id="cce_bestpractice_00221__image106531832140" src="en-us_image_0000001851585168.png"></span></p>
|
|
</li></ol>
|
|
</div>
|
|
<div class="section" id="cce_bestpractice_00221__en-us_topic_0235296162_section12824811142211"><h4 class="sectiontitle">Further Readings</h4><p id="cce_bestpractice_00221__en-us_topic_0235296162_p1596122315225">For more information about users and identity authentication in Kubernetes, see <a href="https://kubernetes.io/docs/reference/access-authn-authz/authentication/" target="_blank" rel="noopener noreferrer">Authenticating</a>.</p>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="cce_bestpractice_0055.html">Permission</a></div>
|
|
</div>
|
|
</div>
|
|
|