分离生成read权限kubeconfig easzlab#727

zero0r1 · Nov 17, 2019 · faf78af · faf78af
1 parent 10ccdda
commit faf78af
Show file tree

Hide file tree

Showing 4 changed files with 79 additions and 32 deletions.
diff --git a/docs/op/readonly_kubectl.md b/docs/op/readonly_kubectl.md
@@ -4,12 +4,29 @@
 
 ## 创建
 
-- 备份下原先 admin 权限的 kubeconfig 文件：`mv ~/.kube ~/.kubeadmin`
-- 执行 `ansible-playbook /etc/ansible/01.prepare.yml -t create_kctl_cfg -e USER_NAME=read`，成功后查看~/.kube/config 即为只读权限
+- 执行如下命令成功后查看/root/.kube/read.config 即为只读权限
+
+```
+ansible-playbook /etc/ansible/roles/deploy/deploy.yml -t create_ro_kctl_cfg -e CREATE_READONLY_KUBECONFIG=true
+```
+
+- 验证只读权限
+
+```
+$ kubectl --kubeconfig=/root/.kube/read.config get deploy -n kube-system
+NAME                         READY   UP-TO-DATE   AVAILABLE   AGE
+coredns                      2/2     2            2           13d
+dashboard-metrics-scraper    1/1     1            1           13d
+kubernetes-dashboard         1/1     1            1           13d
+metrics-server               1/1     1            1           13d
+traefik-ingress-controller   1/1     1            1           13d
+$ kubectl --kubeconfig=/root/.kube/read.config delete deploy kubernetes-dashboard -n kube-system
+Error from server (Forbidden): deployments.apps "kubernetes-dashboard" is forbidden: User "read" cannot delete resource "deployments" in API group "apps" in the namespace "kube-system"
+```
 
 ## 讲解
 
-对照文件`/etc/ansible/roles/deploy/tasks/main.yml`，创建主要包括三个步骤：
+对照文件`/etc/ansible/roles/deploy/tasks/create-ro-kubeconfig.yml`，创建主要包括三个步骤：
 
 - 创建 group:read rbac 权限
 - 创建 read 用户证书和私钥
@@ -57,12 +74,9 @@ kubeconfig 为与apiserver交互使用的认证配置文件，如脚本步骤需
 - 设置上下文参数，指定使用cluster集群和用户read
 - 设置指定默认上下文
 
-创建完成后生成默认配置文件为 `~/.kube/config`
-
-## 恢复 admin 权限
+创建完成后生成配置文件为`/root/.kube/read.config`，可以将该文件发给只读权限的普通用户
 
-- 可以恢复之前备份的`~/.kubeadmin`文件：`mv ~/.kube ~/.kuberead && mv ~/.kubeadmin ~/.kube`
-- 或者直接执行 `ansible-playbook /etc/ansible/01.prepare.yml -t create_kctl_cfg`
+## 关联阅读[访问dashboard](../guide/dashboard.md)中的只读kubeconfig登陆相关内容
 
 ## 参考
 

diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml
@@ -5,9 +5,6 @@ CERT_EXPIRY: "438000h"
 # apiserver 默认第一个master节点
 KUBE_APISERVER: "https://{{ groups['kube-master'][0] }}:6443"
 
-# kubeconfig 配置参数，注意权限根据‘USER_NAME’设置：
-# 'admin' 表示创建集群管理员（所有）权限的 kubeconfig 
-# 'read' 表示创建只读权限的 kubeconfig
 CLUSTER_NAME: "cluster1"
-USER_NAME: "admin"
-CONTEXT_NAME: "context-{{ CLUSTER_NAME }}-{{ USER_NAME }}"
+
+CREATE_READONLY_KUBECONFIG: false
diff --git a/roles/deploy/tasks/create-ro-kubeconfig.yml b/roles/deploy/tasks/create-ro-kubeconfig.yml
@@ -0,0 +1,40 @@
+- block:
+    - name: 下载 group:read rbac 文件
+      copy: src=read-group-rbac.yaml dest=/tmp/read-group-rbac.yaml
+
+    - name: 创建group:read rbac 绑定
+      shell: "{{ base_dir }}/bin/kubectl apply -f /tmp/read-group-rbac.yaml"
+
+    - name: 准备kubectl使用的read证书签名请求
+      template: src=read-csr.json.j2 dest={{ base_dir }}/.cluster/ssl/read-csr.json
+
+    - name: 创建read证书与私钥
+      shell: "cd {{ base_dir }}/.cluster/ssl && {{ base_dir }}/bin/cfssl gencert \
+            -ca=ca.pem \
+            -ca-key=ca-key.pem \
+            -config=ca-config.json \
+            -profile=kubernetes read-csr.json | {{ base_dir }}/bin/cfssljson -bare read"
+
+    - name: 设置只读kubeconfig集群参数
+      shell: "{{ base_dir }}/bin/kubectl config set-cluster {{ CLUSTER_NAME }} \
+            --certificate-authority={{ base_dir }}/.cluster/ssl/ca.pem \
+            --embed-certs=true \
+            --server={{ KUBE_APISERVER }} \
+            --kubeconfig=/root/.kube/read.config"
+
+    - name: 设置只读kubeconfig客户端认证参数
+      shell: "{{ base_dir }}/bin/kubectl config set-credentials read \
+            --client-certificate={{ base_dir }}/.cluster/ssl/read.pem \
+            --embed-certs=true \
+            --client-key={{ base_dir }}/.cluster/ssl/read-key.pem \
+            --kubeconfig=/root/.kube/read.config"
+
+    - name: 设置只读kubeconfig上下文参数
+      shell: "{{ base_dir }}/bin/kubectl config set-context {{ CLUSTER_NAME }} \
+            --cluster={{ CLUSTER_NAME }} --user=read \
+            --kubeconfig=/root/.kube/read.config"
+
+    - name: 选择只读kubeconfig默认上下文
+      shell: "{{ base_dir }}/bin/kubectl config use-context {{ CLUSTER_NAME }} \
+            --kubeconfig=/root/.kube/read.config"
+  tags: create_ro_kctl_cfg
diff --git a/roles/deploy/tasks/main.yml b/roles/deploy/tasks/main.yml
@@ -25,29 +25,21 @@
   shell: "cd {{ base_dir }}/.cluster/ssl && \
 	 {{ base_dir }}/bin/cfssl gencert -initca ca-csr.json | {{ base_dir }}/bin/cfssljson -bare ca" 
 
-#----------- 创建kubectl kubeconfig文件: /root/.kube/config
+#----------- 创建admin kubectl kubeconfig文件: /root/.kube/config
 - block:
     - name: 删除原有kubeconfig
       file: path=/root/.kube/config state=absent
       ignore_errors: true
 
-    - name: 下载 group:read rbac 文件
-      copy: src=read-group-rbac.yaml dest=/tmp/read-group-rbac.yaml
-      when: USER_NAME == "read"
+    - name: 准备kubectl使用的admin证书签名请求
+      template: src=admin-csr.json.j2 dest={{ base_dir }}/.cluster/ssl/admin-csr.json
 
-    - name: 创建group:read rbac 绑定
-      shell: "{{ base_dir }}/bin/kubectl apply -f /tmp/read-group-rbac.yaml"
-      when: USER_NAME == "read"
-
-    - name: 准备kubectl使用的{{ USER_NAME }}证书签名请求
-      template: src={{ USER_NAME }}-csr.json.j2 dest={{ base_dir }}/.cluster/ssl/{{ USER_NAME }}-csr.json
-
-    - name: 创建{{ USER_NAME }}证书与私钥
+    - name: 创建admin证书与私钥
       shell: "cd {{ base_dir }}/.cluster/ssl && {{ base_dir }}/bin/cfssl gencert \
             -ca=ca.pem \
             -ca-key=ca-key.pem \
             -config=ca-config.json \
-            -profile=kubernetes {{ USER_NAME }}-csr.json | {{ base_dir }}/bin/cfssljson -bare {{ USER_NAME }}"
+            -profile=kubernetes admin-csr.json | {{ base_dir }}/bin/cfssljson -bare admin"
 
     - name: 设置集群参数
       shell: "{{ base_dir }}/bin/kubectl config set-cluster {{ CLUSTER_NAME }} \
@@ -56,19 +48,23 @@
             --server={{ KUBE_APISERVER }}"
 
     - name: 设置客户端认证参数
-      shell: "{{ base_dir }}/bin/kubectl config set-credentials {{ USER_NAME }} \
-            --client-certificate={{ base_dir }}/.cluster/ssl/{{ USER_NAME }}.pem \
+      shell: "{{ base_dir }}/bin/kubectl config set-credentials admin \
+            --client-certificate={{ base_dir }}/.cluster/ssl/admin.pem \
             --embed-certs=true \
-            --client-key={{ base_dir }}/.cluster/ssl/{{ USER_NAME }}-key.pem"
+            --client-key={{ base_dir }}/.cluster/ssl/admin-key.pem"
 
     - name: 设置上下文参数
-      shell: "{{ base_dir }}/bin/kubectl config set-context {{ CONTEXT_NAME }} \
-            --cluster={{ CLUSTER_NAME }} --user={{ USER_NAME }}"
+      shell: "{{ base_dir }}/bin/kubectl config set-context {{ CLUSTER_NAME }} \
+            --cluster={{ CLUSTER_NAME }} --user=admin"
 
     - name: 选择默认上下文
-      shell: "{{ base_dir }}/bin/kubectl config use-context {{ CONTEXT_NAME }}"
+      shell: "{{ base_dir }}/bin/kubectl config use-context {{ CLUSTER_NAME }}"
   tags: create_kctl_cfg
 
+#-----------可选创建只读kubeconfig文件: /root/.kube/read.config
+- import_tasks: create-ro-kubeconfig.yml
+  when: "CREATE_READONLY_KUBECONFIG"
+
 #------------创建kube-proxy配置文件: kube-proxy.kubeconfig
 - name: 准备kube-proxy 证书签名请求
   template: src=kube-proxy-csr.json.j2 dest={{ base_dir }}/.cluster/ssl/kube-proxy-csr.json