脚本一键生成管理下游k8s集群的kubeconfig

一、场景

1.1 需要管理下游k8s集群的场景。

1.2 不希望使用默认的cluster-admin权限的config.

二、脚本

**重点参数：

2.1 配置变量。
        1、有单独namespace的权限和集群只读权限。

        2、自签名的CA证书位置要正确。

2.2 如果配置错误，需要重新生成

进入集群删除CertificateSigningRequest对应的请求CSR

2.3 修改其中的Clusterrole可以修改权限。

2.4 注意每个集群的名称和用户名不能一致。

#!/bin/bash

# 配置变量
USERNAME="kody"
CLUSTER_NAME="rke2-01"
NAMESPACE="default"
PERMISSION_LEVEL="cluster-readonly"  # 可选 namespace 或 cluster-readonly
API_SERVER="https://172.31.0.32:6443"  # 指定API服务器地址
CA_CERT_PATH="/var/lib/rancher/rke2/server/tls/server-ca.crt"  # 指定CA证书路径

# 生成证书
openssl genrsa -out ${USERNAME}.key 2048
openssl req -new -key ${USERNAME}.key -out ${USERNAME}.csr -subj "/CN=${USERNAME}/O=my-group"

# 提交并批准 CSR
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: ${USERNAME}-csr
spec:
  request: $(cat ${USERNAME}.csr | base64 | tr -d '\n')
  signerName: kubernetes.io/kube-apiserver-client
  expirationSeconds: 86400
  usages:
  - client auth
EOF
kubectl certificate approve ${USERNAME}-csr
kubectl get csr ${USERNAME}-csr -o jsonpath='{.status.certificate}' | base64 -d > ${USERNAME}.crt

# 创建 RBAC 权限
if [ "$PERMISSION_LEVEL" == "namespace" ]; then
  cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: ${NAMESPACE}
  name: ${USERNAME}-role
rules:
- apiGroups: ["", "apps", "batch"]
  resources: ["pods", "deployments", "jobs", "services"]
  verbs: ["get", "list", "watch", "create", "update", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ${USERNAME}-role-binding
  namespace: ${NAMESPACE}
subjects:
- kind: User
  name: ${USERNAME}
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: ${USERNAME}-role
  apiGroup: rbac.authorization.k8s.io
EOF
else
  cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ${USERNAME}-readonly
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ${USERNAME}-readonly-binding
subjects:
- kind: User
  name: ${USERNAME}
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: ${USERNAME}-readonly
  apiGroup: rbac.authorization.k8s.io
EOF
fi

# 生成 kubeconfig
kubectl config set-cluster ${CLUSTER_NAME} \
  --server=${API_SERVER} \
  --certificate-authority=${CA_CERT_PATH} \
  --embed-certs=true \
  --kubeconfig=${USERNAME}.kubeconfig

kubectl config set-credentials ${USERNAME} \
  --client-certificate=${USERNAME}.crt \
  --client-key=${USERNAME}.key \
  --embed-certs=true \
  --kubeconfig=${USERNAME}.kubeconfig

kubectl config set-context ${USERNAME}-context \
  --cluster=${CLUSTER_NAME} \
  --user=${USERNAME} \
  --namespace=${NAMESPACE} \
  --kubeconfig=${USERNAME}.kubeconfig

kubectl config use-context ${USERNAME}-context \
  --kubeconfig=${USERNAME}.kubeconfig

echo "完成！用户 ${USERNAME} 的 kubeconfig 文件: ${USERNAME}.kubeconfig"

三、测试

kubectl --kubeconfig=<生成的config> get pods

四、合并Kubeconfig文件

生成了的下游config使用下面的命名合并。

KUBECONFIG=~/.kube/config:/path/to/rke2-01.config:/path/to/rke2-02.config:/path/to/rke2-03.config kubectl config view --merge --flatten > ~/.kube/merged-config

例子：

cat ~/.kube/merged-config

五、切换

六、helm部署

helm install kafka appstore/kafka --set persistence.storageClass=longhorn --set persistence.size=3Gi  --namespace=kafka --set zookeeper.enabled=true --version=23.0.7 --set kraft.enabled=false --create-namespace --kube-context=kody-rke2-03-context