We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
创建 namespace
kubectl create ns dev
创建服务账号
kubectl -n dev create sa lqshow
获取 Secret 信息
SECRET=$(kubectl -n dev get secrets | grep ^lqshow | cut -f1 -d ' ')
从 secret 中获取 ca.crt
kubectl -n dev get secret $SECRET -o json | jq -r '.data["ca.crt"]' | base64 -D > ca.crt
从 secret 获取 token
USER_TOKEN=$(kubectl -n dev get secret $SECRET -o json | jq -r '.data["token"]' | base64 -D)
在kubeconfig配置文件中设置一个集群项。
获取 cluster 上下文信息
CURRENT_CONTEXT=$(kubectl config current-context)
获取 cluster name
CLUSTER_NAME=$(kubectl config get-contexts $CURRENT_CONTEXT | awk '{print $3}' | tail -n 1)
获取 API Server 地址
KUBE_APISERVER=$(kubectl config view -o jsonpath="{.clusters[?(@.name == \"$CLUSTER_NAME\")].cluster.server}")
在当前目录下建立一名为cluster-staging的 Config
kubectl config set-cluster cluster-staging \ --certificate-authority=./ca.crt \ --embed-certs=true \ --server=${KUBE_APISERVER} \ --kubeconfig=dev.kubeconfig
设置用户凭证
kubectl config set-credentials lqshow \ --token=$USER_TOKEN \ --kubeconfig=dev.kubeconfig
绑定用户
kubectl config set-context lqshow-staging \ --cluster=cluster-staging \ --user=lqshow \ --kubeconfig=dev.kubeconfig
切换当前上下文
kubectl config use-context lqshow-staging \ --kubeconfig=dev.kubeconfig
创建一个 Role 配置
kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: dev name: dev-user-pod rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "watch", "list", "update", "create", "delete"]
kubectl create -f dev-user-role.yml
创建 Rolebinding 配置
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: dev-pod-rolebinding namespace: dev roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: dev-user-pod subjects: - kind: ServiceAccount name: lqshow namespace: dev
或者直接执行命令绑定角色
kubectl create rolebinding dev-pod-rolebinding \ --role=dev-user-pod \ --serviceaccount=dev:lqshow
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Work flow
Service Account
创建 namespace
创建服务账号
获取 Secret 信息
SECRET=$(kubectl -n dev get secrets | grep ^lqshow | cut -f1 -d ' ')从 secret 中获取 ca.crt
从 secret 获取 token
USER_TOKEN=$(kubectl -n dev get secret $SECRET -o json | jq -r '.data["token"]' | base64 -D)Kubectl config set-cluster
options
获取 cluster 上下文信息
CURRENT_CONTEXT=$(kubectl config current-context)获取 cluster name
CLUSTER_NAME=$(kubectl config get-contexts $CURRENT_CONTEXT | awk '{print $3}' | tail -n 1)获取 API Server 地址
KUBE_APISERVER=$(kubectl config view -o jsonpath="{.clusters[?(@.name == \"$CLUSTER_NAME\")].cluster.server}")在当前目录下建立一名为cluster-staging的 Config
kubectl config set-cluster cluster-staging \ --certificate-authority=./ca.crt \ --embed-certs=true \ --server=${KUBE_APISERVER} \ --kubeconfig=dev.kubeconfig设置用户凭证
kubectl config set-credentials lqshow \ --token=$USER_TOKEN \ --kubeconfig=dev.kubeconfig绑定用户
kubectl config set-context lqshow-staging \ --cluster=cluster-staging \ --user=lqshow \ --kubeconfig=dev.kubeconfig切换当前上下文
kubectl config use-context lqshow-staging \ --kubeconfig=dev.kubeconfigRole
创建一个 Role 配置
Rolebinding
创建 Rolebinding 配置
或者直接执行命令绑定角色
kubectl create rolebinding dev-pod-rolebinding \ --role=dev-user-pod \ --serviceaccount=dev:lqshowReferences
The text was updated successfully, but these errors were encountered: