Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
devops:kubernetes [2023/11/28 12:00] – [/etc/resolve.conf в подиках] admindevops:kubernetes [2023/11/30 08:03] (current) – [Предоставление ограниченного доступа в кластер с помощью RBAC и Service Accounts] admin
Line 661: Line 661:
 ====== Предоставление ограниченного доступа в кластер с помощью RBAC и Service Accounts ====== ====== Предоставление ограниченного доступа в кластер с помощью RBAC и Service Accounts ======
 # https://documentation.commvault.com/v11/essential/129223_creating_kubernetes_cluster_admin_service_account_for_commvault.html \\ # https://documentation.commvault.com/v11/essential/129223_creating_kubernetes_cluster_admin_service_account_for_commvault.html \\
-Надо дописать именно ограниченный доступ. Сейчас - создается **Cluster Admin**+
 <code> <code>
 #!/bin/bash #!/bin/bash
 set -e set -e
  
-KUB_CONTEXT='nlu-eu-prod+KUB_CONTEXT='anima-lightning2-dev
-KUB_USERNAME='ypetrenko'+KUB_USERNAME='dashboard-ro' 
 +KUB_NAMESPACES=('lightning-dev' 'lightning-tst')
 ######KUB_USERGROUP='mcs-ro' ######KUB_USERGROUP='mcs-ro'
 #cluster or ns (namespace) #cluster or ns (namespace)
 #AUTH_SCOPE='cluster' #AUTH_SCOPE='cluster'
-#AUTH_SCOPE='ns'+AUTH_SCOPE='ns'
 # If AUTH_SCOPE = ns then we need namespace name # If AUTH_SCOPE = ns then we need namespace name
-#KUB_NAMESPACE='default' +#KUB_NAMESPACES=('default') 
-#########KUB_ROLE_NAME="${KUB_USERGROUP}-role"+
 # Comma separated quoted - '"get", "list"'. For all use "*" # Comma separated quoted - '"get", "list"'. For all use "*"
-#KUB_ROLE_APIGROUPS='"*"' +KUB_ROLE_APIGROUPS='"*"' 
-#KUB_ROLE_RESOURCES='"*"'+KUB_ROLE_RESOURCES='"*"'
 #KUB_ROLE_VERBS='"get", "list"' #KUB_ROLE_VERBS='"get", "list"'
-#KUB_ROLE_VERBS='"*"'+KUB_ROLE_VERBS='"get", "list"'
  
 echo "Switching to context '${KUB_CONTEXT}'..." echo "Switching to context '${KUB_CONTEXT}'..."
Line 691: Line 692:
 CLUSTER_CA=`kubectl get secret -n kube-system $KUB_SYSTEM_TOKEN_SECRET -o jsonpath={".data.ca\.crt"}` CLUSTER_CA=`kubectl get secret -n kube-system $KUB_SYSTEM_TOKEN_SECRET -o jsonpath={".data.ca\.crt"}`
  
-kubectl create serviceaccount $KUB_USERNAME -n kube-system +kubectl create serviceaccount ${KUB_USERNAME}-sa -n kube-system || true 
-kubectl create clusterrolebinding $KUB_USERNAME --clusterrole=cluster-admin --serviceaccount=kube-system:$KUB_USERNAME+ 
 +echo "Create ClusterRole '${KUB_USERNAME}-ns-cluster-role' to List Namespaces..." 
 +kubectl apply -f - <<EOF 
 +kind: ClusterRole 
 +apiVersion: rbac.authorization.k8s.io/v1 
 +metadata: 
 +  name: ${KUB_USERNAME}-ns-cluster-role 
 +rules: 
 +- apiGroups: [""
 +  resources: ["namespaces"
 +  verbs: ["get", "list"
 + 
 +EOF 
 + 
 +echo "Create Cluster Role Binding for group '${KUB_USERNAME}-ns-cluster-role' to List Namespaces..." 
 +kubectl apply -f - <<EOF 
 +kind: ClusterRoleBinding 
 +apiVersion: rbac.authorization.k8s.io/v1 
 +metadata: 
 +  name: ${KUB_USERNAME}-ns-cluster-rolebinding 
 +subjects: 
 +- kind: ServiceAccount 
 +  name: ${KUB_USERNAME}-sa 
 +  namespace: kube-system 
 +roleRef: 
 +  kind: ClusterRole 
 +  name: ${KUB_USERNAME}-ns-cluster-role 
 +  apiGroup: rbac.authorization.k8s.io 
 +EOF 
 + 
 +if [ "$AUTH_SCOPE" = "ns" ]; then 
 +for KUB_NAMESPACE in ${KUB_NAMESPACES[@]}; do 
 +kubectl create ns ${KUB_NAMESPACE} || true 
 + 
 +echo "Creating Role - '${KUB_USERNAME}-role' in the namespace '${KUB_NAMESPACE}'..." 
 +kubectl replace -f - <<EOF 
 +kind: Role 
 +apiVersion: rbac.authorization.k8s.io/v1 
 +metadata: 
 +  namespace: ${KUB_NAMESPACE} 
 +  name: ${KUB_USERNAME}-role 
 +rules: 
 +- apiGroups: [${KUB_ROLE_APIGROUPS}] 
 +  resources: [${KUB_ROLE_RESOURCES}] 
 +  verbs: [${KUB_ROLE_VERBS}] 
 +EOF 
 + 
 +echo "Creating RoleBinding for the '${KUB_USERNAME}-role' in the namespace '${KUB_NAMESPACE}'..." 
 +kubectl replace -f - <<EOF 
 +kind: RoleBinding 
 +apiVersion: rbac.authorization.k8s.io/v1 
 +metadata: 
 +  name: ${KUB_USERNAME} 
 +  namespace: ${KUB_NAMESPACE} 
 +subjects: 
 +- kind: ServiceAccount 
 +  name: ${KUB_USERNAME}-sa 
 +  namespace: kube-system 
 +roleRef: 
 +  kind: Role 
 +  name: ${KUB_USERNAME}-role 
 +  apiGroup: rbac.authorization.k8s.io 
 +EOF 
 +done 
 +fi 
 + 
 +if [ "$AUTH_SCOPE" "cluster" ]; then 
 +echo "Creating ClusterRole '${KUB_USERNAME}-cluster-role' to access resources..." 
 +kubectl apply -f - <<EOF 
 +kind: ClusterRole 
 +apiVersion: rbac.authorization.k8s.io/v1 
 +metadata: 
 +  name: ${KUB_USERNAME}-cluster-role 
 +rules: 
 +- apiGroups: [${KUB_ROLE_APIGROUPS}] 
 +  resources: [${KUB_ROLE_RESOURCES}] 
 +  verbs: [${KUB_ROLE_VERBS}] 
 +EOF 
 + 
 +echo "Create Cluster Role Binding for group '${KUB_USERNAME}-cluster-role' to access resources..." 
 +kubectl apply -f - <<EOF 
 +kind: ClusterRoleBinding 
 +apiVersion: rbac.authorization.k8s.io/v1 
 +metadata: 
 +  name: ${KUB_USERNAME}-cluster-rolebinding 
 +subjects: 
 +- kind: ServiceAccount 
 +  name: ${KUB_USERNAME}-sa 
 +  namespace: kube-system 
 +roleRef: 
 +  kind: ClusterRole 
 +  name: ${KUB_USERNAME}-cluster-role 
 +  apiGroup: rbac.authorization.k8s.io 
 +fi 
 +EOF 
 +fi
  
 kubectl apply -f - <<EOF kubectl apply -f - <<EOF
Line 701: Line 797:
   namespace: kube-system   namespace: kube-system
   annotations:   annotations:
-    kubernetes.io/service-account.name: ${KUB_USERNAME}+    kubernetes.io/service-account.name: ${KUB_USERNAME}-sa
 type: kubernetes.io/service-account-token type: kubernetes.io/service-account-token
 EOF EOF
  
-SA_TOKEN=`echo "kubectl get secrets -n kube-system -o jsonpath=\"{.items[?(@.metadata.annotations['kubernetes\\.io/service-account\\.name']=='${KUB_USERNAME}')].data.token}\" | base64 --decode" | /bin/bash`+SA_TOKEN=`echo "kubectl get secrets -n kube-system -o jsonpath=\"{.items[?(@.metadata.annotations['kubernetes\\.io/service-account\\.name']=='${KUB_USERNAME}-sa')].data.token}\" | base64 --decode" | /bin/bash`
  
 cat <<EOF > ./kubeconfig_${KUB_USERNAME}_${CLUSTER_NAME} cat <<EOF > ./kubeconfig_${KUB_USERNAME}_${CLUSTER_NAME}
  • devops/kubernetes.txt
  • Last modified: 2023/11/30 08:03
  • by admin