일반사용자용 토큰 기반 kubeconfig 생성

1 개요[ | ]

일반사용자용 SA인증토큰 기반 kubeconfig 생성
특정 네임스페이스만 접근가능한 토큰 기반 kubeconfig 생성

2 변수 지정[ | ]

USERNAME=jmnote
NS=namespace1

3 ServiceAccount 생성[ | ]

kubectl -n $NS create sa $USERNAME

4 Role & RoleBinding 생성[ | ]

cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: $USERNAME
  namespace: $NS
rules:
- apiGroups: ["", "apps", "batch", "extensions", "networking.k8s.io"]
  resources: ["*"]
  verbs: ["*"]
EOF

kubectl -n $NS create rolebinding $USERNAME --role=$USERNAME --serviceaccount=$NS:$USERNAME

5 TOKEN 추출[ | ]

TOKEN=$(kubectl -n $NS get secret $(kubectl -n $NS get sa $USERNAME -ojsonpath='{.secrets[0].name}') -ojsonpath='{.data.token}' | base64 -d)

6 ca.crt 파일 생성[ | ]

kubectl config view --flatten -o jsonpath='{.clusters[0].cluster.certificate-authority-data}' | base64 -d > ca.crt

7 kubeconfig 파일 생성[ | ]

kubectl config set-cluster $(kubectl config view -o jsonpath='{.clusters[0].name}') \
--server=$(kubectl config view -o jsonpath='{.clusters[0].cluster.server}') \
--certificate-authority=ca.crt \
--embed-certs \
--kubeconfig=./$USERNAME-kubeconfig

kubectl config set-credentials $USERNAME \
--token=$TOKEN \
--kubeconfig=./$USERNAME-kubeconfig

kubectl config set-context $USERNAME \
--cluster=$(kubectl config view -o jsonpath='{.clusters[0].name}') \
--namespace=$NS \
--user=$USERNAME \
--kubeconfig=./$USERNAME-kubeconfig

kubectl config use-context $USERNAME \
--kubeconfig=./$USERNAME-kubeconfig

8 테스트[ | ]

kubectl --kubeconfig=$USERNAME-kubeconfig get no # 권한없음 (정상)
kubectl --kubeconfig=$USERNAME-kubeconfig get pod
kubectl --kubeconfig=$USERNAME-kubeconfig get pod -n $NS

9 ⚠️ 원복 (모두 제거)[ | ]

kubectl -n $NS delete sa $USERNAME
kubectl -n $NS delete role $USERNAME
kubectl -n $NS delete rolebinding $USERNAME
rm -f *

10 같이 보기[ | ]

11 참고[ | ]

https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengaddingserviceaccttoken.htm