Created
July 13, 2020 10:48
-
-
Save hex108/12c8c104f17a5189e14da621147daf84 to your computer and use it in GitHub Desktop.
Generate kubeconfig for users with proper permissions and quota in the specified namespace.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/bash | |
set -e | |
set -u | |
set -o pipefail | |
#set -x | |
# Please set these variables first, then run the script on the master node. | |
APISERVER_ADDRESS="https://127.0.0.1:6443" # If you have a VIP for apiservers, use the VIP. | |
USER=test # user name | |
NAMESPACE=test-ns # namespace that will be used by the user | |
QUOTA_CPU="10" | |
QUOTA_MEM="10Gi" | |
QUOTA_PODS_NUM="20" | |
KUBECONFIG_NAME=kubeconfig_${USER}.yaml | |
echo "Generate kubeconfig for user $USER with quota(CPU: $QUOTA_CPU, MEM: $QUOTA_MEM, Pods number: $QUOTA_PODS_NUM) in namespace $NAMESPACE" | |
# Create namespace | |
kubectl create namespace $NAMESPACE | |
# Create service account | |
cat <<EOF | kubectl apply -f - | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
namespace: $NAMESPACE | |
name: $USER | |
EOF | |
# Get secret token | |
tokenName=$(kubectl describe sa $USER -n $NAMESPACE | grep Tokens | awk '{print $2}') | |
token=$(kubectl describe secret $tokenName -n $NAMESPACE | grep "token:" | awk '{print $2}') | |
# Get cluster info | |
clusterCA=$(kubectl config view --flatten --minify | grep "certificate-authority-data:" | awk '{print $2}') | |
clusterName=$(kubectl config view --flatten --minify | grep "name:" | head -n 1 | awk '{print $2}') | |
# Create role and role bindings | |
cat <<EOF | kubectl apply -f - | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: Role | |
metadata: | |
name: ${USER}-role | |
namespace: $NAMESPACE | |
rules: | |
- apiGroups: ["*"] | |
resources: ["*"] | |
verbs: ["*"] | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: RoleBinding | |
metadata: | |
name: ${USER}-rolebinding | |
namespace: $NAMESPACE | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: Role | |
name: ${USER}-role | |
subjects: | |
- namespace: $NAMESPACE | |
kind: ServiceAccount | |
name: ${USER} | |
EOF | |
# Create quota | |
cat <<EOF | kubectl apply -f - | |
apiVersion: v1 | |
kind: List | |
items: | |
- apiVersion: v1 | |
kind: ResourceQuota | |
metadata: | |
name: quota | |
namespace: $NAMESPACE | |
spec: | |
hard: | |
cpu: $QUOTA_CPU | |
memory: $QUOTA_MEM | |
pods: $QUOTA_PODS_NUM | |
EOF | |
# Generate kubeconfig | |
cat <<EOF > $KUBECONFIG_NAME | |
apiVersion: v1 | |
kind: Config | |
users: | |
- name: $USER | |
user: | |
token: $token | |
clusters: | |
- cluster: | |
certificate-authority-data: $clusterCA | |
server: $APISERVER_ADDRESS | |
name: $clusterName | |
contexts: | |
- context: | |
cluster: $clusterName | |
user: $USER | |
name: ${USER}-context | |
current-context: ${USER}-context | |
EOF | |
echo "Congratulations! The kubeconfig file is generated at $KUBECONFIG_NAME" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment