一、场景

1.1 需要管理下游k8s集群的场景。

1.2 不希望使用默认的cluster-admin权限的config.

二、脚本

**重点参数：

2.1 配置变量。
        1、有单独namespace的权限和集群只读权限。

        2、自签名的CA证书位置要正确。

2.2 如果配置错误，需要重新生成

进入集群删除CertificateSigningRequest对应的请求CSR

2.3 修改其中的Clusterrole可以修改权限。

2.4 注意每个集群的名称和用户名不能一致。

#!/bin/bash# 配置变量
USERNAME="kody"
CLUSTER_NAME="rke2-01"
NAMESPACE="default"
PERMISSION_LEVEL="cluster-readonly"  # 可选 namespace 或 cluster-readonly
API_SERVER="https://172.31.0.32:6443"  # 指定API服务器地址
CA_CERT_PATH="/var/lib/rancher/rke2/server/tls/server-ca.crt"  # 指定CA证书路径# 生成证书
openssl genrsa -out ${USERNAME}.key 2048
openssl req -new -key ${USERNAME}.key -out ${USERNAME}.csr -subj "/CN=${USERNAME}/O=my-group"# 提交并批准 CSR
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:name: ${USERNAME}-csr
spec:request: $(cat ${USERNAME}.csr | base64 | tr -d '\n')signerName: kubernetes.io/kube-apiserver-clientexpirationSeconds: 86400usages:- client auth
EOF
kubectl certificate approve ${USERNAME}-csr
kubectl get csr ${USERNAME}-csr -o jsonpath='{.status.certificate}' | base64 -d > ${USERNAME}.crt# 创建 RBAC 权限
if [ "$PERMISSION_LEVEL" == "namespace" ]; thencat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:namespace: ${NAMESPACE}name: ${USERNAME}-role
rules:
- apiGroups: ["", "apps", "batch"]resources: ["pods", "deployments", "jobs", "services"]verbs: ["get", "list", "watch", "create", "update", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:name: ${USERNAME}-role-bindingnamespace: ${NAMESPACE}
subjects:
- kind: Username: ${USERNAME}apiGroup: rbac.authorization.k8s.io
roleRef:kind: Rolename: ${USERNAME}-roleapiGroup: rbac.authorization.k8s.io
EOF
elsecat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:name: ${USERNAME}-readonly
rules:
- apiGroups: ["*"]resources: ["*"]verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:name: ${USERNAME}-readonly-binding
subjects:
- kind: Username: ${USERNAME}apiGroup: rbac.authorization.k8s.io
roleRef:kind: ClusterRolename: ${USERNAME}-readonlyapiGroup: rbac.authorization.k8s.io
EOF
fi# 生成 kubeconfig
kubectl config set-cluster ${CLUSTER_NAME} \--server=${API_SERVER} \--certificate-authority=${CA_CERT_PATH} \--embed-certs=true \--kubeconfig=${USERNAME}.kubeconfigkubectl config set-credentials ${USERNAME} \--client-certificate=${USERNAME}.crt \--client-key=${USERNAME}.key \--embed-certs=true \--kubeconfig=${USERNAME}.kubeconfigkubectl config set-context ${USERNAME}-context \--cluster=${CLUSTER_NAME} \--user=${USERNAME} \--namespace=${NAMESPACE} \--kubeconfig=${USERNAME}.kubeconfigkubectl config use-context ${USERNAME}-context \--kubeconfig=${USERNAME}.kubeconfigecho "完成！用户 ${USERNAME} 的 kubeconfig 文件: ${USERNAME}.kubeconfig"

三、测试

kubectl --kubeconfig=<生成的config> get pods

四、合并Kubeconfig文件

生成了的下游config使用下面的命名合并。

KUBECONFIG=~/.kube/config:/path/to/rke2-01.config:/path/to/rke2-02.config:/path/to/rke2-03.config kubectl config view --merge --flatten > ~/.kube/merged-config

例子：

cat ~/.kube/merged-config

五、切换

六、helm部署

helm install kafka appstore/kafka --set persistence.storageClass=longhorn --set persistence.size=3Gi  --namespace=kafka --set zookeeper.enabled=true --version=23.0.7 --set kraft.enabled=false --create-namespace --kube-context=kody-rke2-03-context