Produce kubeconfig with permission control

scene

In the development test scenario , We opened k8s colony , The cluster resources need to be allocated to users , But hopefully they can only use resources in their own namespaces , Not affecting others .

The following procedure shows how to use k8s Native capabilities do this .

Implementation steps

establish namespace

First create a namespace for the user name

kubectl create ns well

establish ServiceAccount

Create... Under the user namespace SA

apiVersion: v1
kind: ServiceAccount
metadata:
  name: well-sa
  namespace: well

Create a Role

Create... Under the user namespace Role, Here, put the resources and permissions you want to give users .

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: well-role
  namespace: well
rules:
- apiGroups: [""]
  resources: 
  - pods
  - deployments
  - configmaps
  - services
  verbs: 
  - get
  - list
  - watch
  - create
  - update
  - delete

establish RoleBinding

Will just create SA and Role Tied together .

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: well-binding
  namespace: well
subjects:
- kind: ServiceAccount
  name: well-sa
roleRef:
  kind: Role
  name: well-role
  apiGroup: rbac.authorization.k8s.io

Now? well-sa This ServiceAccount You can access well Namespace . Next we need to put SA The corresponding key is given to the user .

production kubeconfig

kubeconfig The template is as follows ：

apiVersion: v1
kind: Config
users:
- name: well
  user:
    token: <token>
clusters:
- cluster:
    certificate-authority-data: <certificate-authority-data>
    server: <api-server>
  name: well-cluster
contexts:
- context:
    cluster: well-cluster
    namespace: well
    user: well
  name: well-cluster
current-context: well-cluster

Now you just need to replace the corresponding content above with the actual content .

The path to obtain these parameters is as follows ：

• Through the command kubectl config view --flatten --minify  Can get certificate-authority-data and api-server Information .
• Through the command kubectl describe sa well-sa -n well  Get secret Of key.
• Through the command kubectl describe secret <key> -n well Get token Information .

When the replacement is complete kubeconfig It can be saved as a document and distributed to users .

automation

The above process can be completed automatically , Here is the complete implementation of this process Shell Script .

First of all, you need to have a permission sufficient kubeconfig In your kubectl Current context .

Copy this script and name the file create-key.sh, Give Execution Authority .

#!/bin/bash

echo " Welcome to use  kubeconfig  generator , This script can generate a key with limited permissions ."
echo " Executing this script requires that you first have the default key with the maximum permissions of the cluster ."
echo 
echo " Usage method ："
echo "./create-key.sh"
echo " perhaps "
echo "./create-key.sh <yourname>"
echo

#  Check  ns
function userExists() {
  checkUser=`kubectl get ns | grep -w $1` 
  if [ -z "$checkUser" ]
  then
    echo 0
  else
    echo 1
  fi
}


USER=$1

if [ -z "$USER" ];then
  while true; do
    read -p " Please enter the user id ：" USER

    if [ -z "$USER" ];then #  Input nothing 
      echo " You have to enter something , perhaps  ctrl + c  sign out , Please re-enter ."
      echo
    else
      checkUser=`userExists $USER`
      if [ "$checkUser" == "0" ];
      then
        break
      else
        echo "$USER  occupied , Please re-enter or  ctrl + c  sign out ."
        echo
      fi
    fi
  done
else
    checkUser=`userExists $USER`
    if [ "$checkUser" = "1" ];then
        echo "$USER  occupied ." >>/dev/stderr
        exit
    fi
fi


kubectl create ns $USER

#  establish  SA
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  name: $USER-sa
  namespace: $USER
EOF

#  Create a character , And control resources , Adjust this section to assign the resource permissions you need 
cat <<EOF | kubectl apply -f -
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: $USER-role
  namespace: $USER
rules:
- apiGroups: [""]
  resources: 
  - pods
  - deployments
  - configmaps
  - services
  verbs: 
  - get
  - list
  - watch
  - create
  - update
  - delete
EOF

#  establish  Role Binding
cat <<EOF | kubectl apply -f -
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: $USER-binding
  namespace: $USER
subjects:
- kind: ServiceAccount
  name: $USER-sa
roleRef:
  kind: Role
  name: $USER-role
  apiGroup: rbac.authorization.k8s.io
EOF

KUBE_APISERVER=`kubectl config view --minify -o=jsonpath="{.clusters[*].cluster.server}"`
TOKEN_KEY=`kubectl get sa $USER-sa -n $USER -o=jsonpath="{.secrets[0].name}"`
TOKEN=`kubectl get secrets $TOKEN_KEY -n $USER -o=jsonpath="{.data.token}"`
CLUSTER_AUTH=`kubectl config view --flatten --minify -o=jsonpath="{.clusters[0].cluster.certificate-authority-data}"`
TOKEN_DECODE=`echo $TOKEN | base64 --decode`

#  production  kubeconfig  file 
cat > $USER.config  <<EOF
apiVersion: v1
kind: Config
users:
- name: $USER
  user:
    token: $TOKEN_DECODE
clusters:
- cluster:
    certificate-authority-data: $CLUSTER_AUTH
    server: $KUBE_APISERVER
  name: $USER-cluster
contexts:
- context:
    cluster: $USER-cluster
    namespace: $USER
    user: $USER
  name: $USER-cluster
current-context: $USER-cluster
EOF

cat $USER.config | pbcopy

echo
echo " succeed ！！！！"
echo
echo
echo "kubeconfig  The file has been saved as  ./$USER.config, And has been copied to your clipboard ."
echo " At present  kubeconfig  Only namespaces are allowed to be accessed  $USER  Specific resources under ."
echo
echo " Try the following command ："
echo "kubectl get po --kubeconfig=./$USER.config"
echo "kubectl get secret --kubeconfig=./$USER.config"
echo "kubectl get po --kubeconfig=./$USER.config -n default"

• perform ./create-key.sh perhaps ./create-key.sh well Fine .
• When the execution is completed, a... Will be saved in the current directory well.config The file of , This is kubeconfig file , Send to use, this is good . Or paste the contents of the clipboard to the user .
• This script gives test cases , among ,kubectl get po Have permission ,kubectl get secret No authority ,kubectl get po -n default No authority .
• modify Role Part of , You can fine control permissions , You can also create multiple Role and Binding, Control different resources by permissions .
• Need to release resources , Delete namespace directly , Convenient and quick .kubectl delete ns well

This script is in Mac Pass the next test .