[root@kubernetes01 ~]# cat > create_admin_user.sh <<EOF
#!/bin/bash
USERNAME="\$1"
APISERVER="https://192.168.1.190:64430"
CA_FILE="/etc/ssl/k8s/ca.pem"
CA_KEY_FILE="/etc/ssl/k8s/ca-key.pem"
USERNAME_DIR="/data/k8s/user/\${USERNAME}"
if [ ! -d \${USERNAME_DIR} ];then
mdkir -p \${USERNAME_DIR}
fi
cd \${USERNAME_DIR}
if [ -z \${USERNAME} ];then
echo "傳入一個參數作爲用戶名請輸入用戶名"
exit 1
fi
if [ ! -f \${CA_FILE} ];then
echo "\${CA_FILE},ca文件不存在"
exit 1
fi
if [ ! -f \${CA_KEY_FILE} ];then
echo "\${CA_KEY_FILE},ca-key文件不存在"
exit 1
fi
res=\$(kubectl get clusterrolebinding | awk '{print \$1}' | grep ^\${USERNAME}\$)
if [ ! -z \${res} ];then
echo "clusterrolebinding名稱已存在"
exit 1
fi
# 生成用戶的私鑰文件
openssl genrsa -out \${USERNAME}.key 2048 # 利用用戶的私鑰,生成用戶的公鑰文件
openssl req -new -key \${USERNAME}.key -out \${USERNAME}.csr -subj "/CN=\${USERNAME}/O=k8s"
openssl x509 -req -in \${USERNAME}.csr -CA \${CA_FILE} -CAkey \${CA_KEY_FILE} -CAcreateserial -out \${USERNAME}.crt -days 3650
kubectl config set-cluster \${USERNAME} --certificate-authority=\${CA_FILE} --embed-certs=true --server=\${APISERVER} --kubeconfig=\${USERNAME}.conf
kubectl config set-credentials \${USERNAME} --client-certificate=\${USERNAME}.crt --client-key=\${USERNAME}.key --embed-certs=true --kubeconfig=\${USERNAME}.conf
kubectl config set-context \${USERNAME}-context@\${USERNAME} --cluster=\${USERNAME} --user=\${USERNAME} --kubeconfig=\${USERNAME}.conf
kubectl config use-context \${USERNAME}-context@\${USERNAME} --kubeconfig=\${USERNAME}.conf kubectl create clusterrolebinding \${USERNAME} --clusterrole=cluster-admin --user=\${USERNAME}
EOF
[root@kubernetes01 user]# sh create_admin_user xxx
[root@kubernetes01 user]# ssh 192.168.1.194 "mkdir /root/.kube"
[root@kubernetes01 user]# scp /data/k8s/user/xxx/xxx.conf 192.168.1.194:/root/.kube/config
kubernetes創建管理員用戶,提供給kubectl客戶端使用
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章