k8s指定命名空间kubeconfig文件生成教程

📅 2026/7/5 1:05:38
k8s指定命名空间kubeconfig文件生成教程
文章目录前言k8sv1.24及以上版本创建 ServiceAccount创建Role 和 RoleBinding长期 token Secret创建提取 token 和 CA生成 kubeconfig验证k8sv1.24及以下版本创建 RBAC(SA Role RoleBinding)生产kubeconfig文件前言创建指定命名空间的kubeconfig文件是为了安全考虑有时候开发会想要admin的kubeconfig的配置文件来实现自动化管理pod但是给管理员权限风险较大(之前开发就搞崩了几次k8s)所以创建指定命名空间的kubeconfig较好只能操作固定命名空间的资源k8s也有完善的防提权机制碰不到别的命名空间。注:1.24版本前后的创建方式不一样k8sv1.24及以上版本创建 ServiceAccountkubectl create serviceaccount monitoring-user-n monitoring创建Role 和 RoleBindingcatEOF|kubectlapply-f-apiVersion:rbac.authorization.k8s.io/v1 kind:Role metadata:name:monitoring-user-role namespace:monitoring#命名空间rules:-apiGroups:[*]#给所有权限resources:[*]#给所有权限verbs:[*]#给所有权限---apiVersion:rbac.authorization.k8s.io/v1 kind:RoleBinding metadata:name:monitoring-user-binding namespace:monitoring subjects:-kind:ServiceAccount name:monitoring-user namespace:monitoring roleRef:kind:Role name:monitoring-user-role apiGroup:rbac.authorization.k8s.io EOF长期 token Secret创建catEOF|kubectl apply-f-apiVersion: v1 kind: Secret metadata: name: monitoring-user-token namespace: monitoring annotations: kubernetes.io/service-account.name: monitoring-usertype: kubernetes.io/service-account-token EOF提取 token 和 CATOKEN$(kubectl get secret monitoring-user-token-n monitoring-o jsonpath{.data.token}|base64-d)kubectl get secret monitoring-user-token-n monitoring-o jsonpath{.data.ca\.crt}|base64-d ca.crt APISERVERhttps://192.168.10.11:6443生成 kubeconfigkubectl configset-clusterk8s-cluster \--certificate-authorityca.crt \--embed-certstrue \--server${APISERVER}\--kubeconfigmonitoring-user.kubeconfig kubectl configset-credentialsmonitoring-user \--token${TOKEN}\--kubeconfigmonitoring-user.kubeconfig kubectl configset-contextmonitoring-userk8s-cluster \--clusterk8s-cluster \--usermonitoring-user \--namespacemonitoring \--kubeconfigmonitoring-user.kubeconfig kubectl configuse-contextmonitoring-userk8s-cluster--kubeconfigmonitoring-user.kubeconfig验证kubectl--kubeconfigmonitoring-user.kubeconfig get podskubectl--kubeconfigmonitoring-user.kubeconfig get pods-Ak8sv1.24及以下版本k8sv1.24以下对比以上版本的区别在于不需要手动创建secret会自动生成创建 RBAC(SA Role RoleBinding)catEOF|kubectl apply-f-apiVersion: v1 kind: ServiceAccount metadata: name: monitoring-admin namespace: monitoring---apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: monitoring-full namespace: monitoring rules:-apiGroups:[*]resources:[*]verbs:[*]---apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: monitoring-admin-binding namespace: monitoring roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: monitoring-full subjects:-kind: ServiceAccount name: monitoring-admin namespace: monitoring EOF生产kubeconfig文件NAMESPACEmonitoringSAmonitoring-adminAPISERVERhttps://192.168.10.11:6443OUTPUTmonitoring.kubeconfig# 1.23 自动生成了 secret,直接取SECRET$(kubectl get sa ${SA}-n ${NAMESPACE}-o jsonpath{.secrets[0].name})TOKEN$(kubectl get secret ${SECRET}-n ${NAMESPACE}-o jsonpath{.data.token}|base64-d)kubectl get secret ${SECRET}-n ${NAMESPACE}-o jsonpath{.data.ca\.crt}|base64-d /tmp/ca.crt kubectl configset-clustermonitoring-cluster \--server${APISERVER}\--certificate-authority/tmp/ca.crt \--embed-certstrue \--kubeconfig${OUTPUT}kubectl configset-credentials${SA}\--token${TOKEN}\--kubeconfig${OUTPUT}kubectl configset-contextmonitoring-context \--clustermonitoring-cluster \--namespace${NAMESPACE}\--user${SA}\--kubeconfig${OUTPUT}kubectl configuse-contextmonitoring-context--kubeconfig${OUTPUT}