ctr拉取自建harbor镜像
ctr images pull --user admin:Harbor12345 -k registry.fine.com/kubernetes/busybox/busybox:latest
k8s创建rbac脚本
脚本createrbac.sh
#!/bin/bash
cafile=/etc/kubernetes/pki/ca.crt
cakeyfile=/etc/kubernetes/pki/ca.key
server=https://*.*.*.*:6443
createconfig() {
cfssl gencert -ca=${cafile} -ca-key=${cakeyfile} -config=${user}/${user}-config.json -profile=kubernetes ${user}/${user}-csr.json | cfssljson -bare ${user}
cfssl-certinfo -cert ${user}.pem > /dev/null
# 设置集群
kubectl config set-cluster kubernetes \
--certificate-authority=${cafile} \
--embed-certs=true \
--server=${server} \
--kubeconfig=${user}/${user}.kubeconfig > /dev/null
# 设置客户端认证
kubectl config set-credentials ${user} \
--client-key=${user}/${user}-key.pem \
--client-certificate=${user}/${user}.pem \
--embed-certs=true \
--kubeconfig=${user}/${user}.kubeconfig > /dev/null
# 设置默认上下文
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=${user} \
--kubeconfig=${user}/${user}.kubeconfig >/dev/null
}
createcert() {
cat > ${user}/${user}-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
EOF
cat > ${user}/${user}-csr.json <<EOF
{
"CN": "${user}",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
}
rules='
rules:
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
- services/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- deployments
- deployments/rollback
- deployments/scale
- statefulsets
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
- scheduledjobs
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- ingresses
- replicasets
verbs:
- get
- list
'
createrole () {
cat > ${user}/${user}-role-read.yaml <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: ${namespace}
name: role-read-${user}
${rules}
---
apiVersion: rbac.authorization.k8s.io/v1
# 此角色绑定允许 "jane" 读取 "default" 名字空间中的 Pod
# 你需要在该名字空间中有一个名为 “pod-reader” 的 Role
kind: RoleBinding
metadata:
name: ${user}-role-read
namespace: ${namespace}
subjects:
# 你可以指定不止一个“subject(主体)”
- kind: User
name: ${user} # "name" 是区分大小写的
apiGroup: rbac.authorization.k8s.io
roleRef:
# "roleRef" 指定与某 Role 或 ClusterRole 的绑定关系
kind: Role # 此字段必须是 Role 或 ClusterRole
name: role-read-${user} # 此字段必须与你要绑定的 Role 或 ClusterRole 的名称匹配
apiGroup: rbac.authorization.k8s.io
EOF
}
createclusterrole () {
cat > ${user}/${user}-clusterrole-read.yaml <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: clusterrole-read-${user}
${rules}
---
apiVersion: rbac.authorization.k8s.io/v1
# 此角色绑定允许 "jane" 读取 "default" 名字空间中的 Pod
# 你需要在该名字空间中有一个名为 “pod-reader” 的 Role
kind: ClusterRoleBinding
metadata:
name: ${user}-clusterrole-read
subjects:
# 你可以指定不止一个“subject(主体)”
- kind: User
name: ${user} # "name" 是区分大小写的
apiGroup: rbac.authorization.k8s.io
roleRef:
# "roleRef" 指定与某 Role 或 ClusterRole 的绑定关系
kind: ClusterRole # 此字段必须是 Role 或 ClusterRole
name: clusterrole-read-${user} # 此字段必须与你要绑定的 Role 或 ClusterRole 的名称匹配
apiGroup: rbac.authorization.k8s.io
EOF
}
case $1 in
-role)
shift
case $1 in
-user)
shift
if [ -z $1 ];then
echo "Please add username"
exit 1
fi
user=$1
case $2 in
-namespace)
shift
if [ -z $2 ];then
echo "Please add namespace"
exit 1
fi
namespace=$2
[ ! -d ${user} ] && mkdir -p ${user}
createcert
createconfig
createrole
kubectl apply -f ${user}/${user}-role-read.yaml > /dev/null
kubectl config use-context kubernetes --kubeconfig=${user}/${user}.kubeconfig > /dev/null
;;
*)
echo "Parameter Was Error"
exit 1
esac
;;
*)
echo "Parameter Was Error"
exit 1
esac
;;
-clusterrole)
shift
case $1 in
-user)
shift
if [ -z $1 ];then
echo "Please add username"
exit 1
fi
user=$1
[ ! -d ${user} ] && mkdir -p ${user}
createcert
createconfig
createclusterrole
kubectl apply -f ${user}/${user}-clusterrole-read.yaml > /dev/null
kubectl config use-context kubernetes --kubeconfig=${user}/${user}.kubeconfig > /dev/null
;;
*)
echo "Parameter Was Error"
exit 1
esac
;;
*)
echo "Parameter Was Error"
exit 1
esac
使用方法
创建role
bash createrbac.sh -role -user <username> -namespace <namespace>
创建clusterrole
bash createrbac.sh -clusterrole -user <username>
注:本脚本创建的都是只读角色,可根据需要调整脚本中的权限
扫一扫
1734
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
