建立namespaces
kubectl create ns slanla
建立user
kubectl -n tw-sgis create sa slanla
RBAC 授權
建立規則
cat <<EOF > slanla-user-role.yml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: tw-sgis
name: slanla-user-pod
rules:
- apiGroups: ["*"]
resources: ["pods", "pods/log"]
verbs: ["get", "watch", "list", "update", "create", "delete"]
EOF
kubectl apply -f slanla-user-role.yml
授權對象
kubectl create rolebinding slanla-view-pod \
--role=slanla-user-pod \
--serviceaccount=tw-sgis:slanla \
--namespace=tw-sgis
產生設定檔
取得 secret 資訊
SECRET=$(kubectl -n tw-sgis get sa slanla -o go-template='{{range .secrets}}{{.name}}{{end}}')
設定API Server
API_SERVER="https://xxx.xxx.xxx.xxx:6443"
取得 ca
CA_CERT=$(kubectl -n tw-sgis get secret ${SECRET} -o yaml | awk '/ca.crt:/{print $2}')
建立
cat <<EOF > slanla.conf
apiVersion: v1
kind: Config
clusters:
- cluster:
certificate-authority-data: $CA_CERT
server: $API_SERVER
name: cluster
EOF
取得token
TOKEN=$(kubectl -n tw-sgis get secret ${SECRET} -o go-template='{{.data.token}}')
設定 token
kubectl config set-credentials slanla-user \
--token=`echo ${TOKEN} | base64 -d` \
--kubeconfig=slanla.conf
建立context: default
kubectl config set-context default \
--cluster=cluster \
--user=slanla-user \
--kubeconfig=slanla.conf
指定context: default
kubectl config use-context default \
--kubeconfig=slanla.conf