当前位置: 首页 > 工具软件 > Kubeapps > 使用案例 >

kubeapps创建用户

景凌
2023-12-01

创建用户脚本:

#!/bin/sh
#$1 is user name
#$2 is namespace

pos=`expr index $1 _`
if (($pos>0));then
echo "Name cannot contain '_', $1"
exit 1
fi

pos=`expr index $2 _`
if (($pos>0));then
echo "Namespace cannot contain '_', $2"
exit 1
fi


kubectl create namespace $2
kubectl create serviceaccount $1 -n $2

echo "kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: $1
  namespace: $2
rules:
- apiGroups: [\"\"]
  resources: [\"pods\",\"services\"]
  verbs: [\"get\", \"list\", \"watch\", \"create\", \"update\", \"patch\", \"delete\"]
- apiGroups: [\"extensions\", \"apps\"]
  resources: [\"deployments\"]
  verbs: [\"get\", \"list\", \"watch\", \"create\", \"update\", \"patch\", \"delete\"]
- apiGroups: [\"apps\"]
  resources: [\"replicasets\",\"daemonsets\",\"statefulsets\"]
  verbs: [\"get\", \"list\", \"watch\", \"create\", \"update\", \"patch\", \"delete\"]
- apiGroups: [\"\"]
  resources: [\"events\"]
  verbs: [\"get\", \"list\", \"watch\", \"create\", \"update\", \"patch\", \"delete\"]
- apiGroups: [\"\"]
  resources: [\"configmaps\",\"persistentvolumeclaims\",\"secrets\",\"replicationcontrollers\"]
  verbs: [\"get\", \"list\", \"watch\", \"create\", \"update\", \"patch\", \"delete\"]
- apiGroups: [\"batch\"]
  resources: [\"cronjobs\",\"jobs\"]
  verbs: [\"get\", \"list\", \"watch\", \"create\", \"update\", \"patch\", \"delete\"]
- apiGroups: [\"extensions\"]
  resources: [\"ingresses\"]
  verbs: [\"get\", \"list\", \"watch\", \"create\", \"update\", \"patch\", \"delete\"]  
- apiGroups: [\"\"]
  resources: [\"namespaces\",\"nodes\"]
  verbs: [\"get\", \"list\", \"watch\"]
- apiGroups: [\"rbac.authorization.k8s.io\"]
  resources: [\"roles\",\"clusterroles\"]
  verbs: [\"get\", \"list\", \"watch\", \"create\", \"update\", \"patch\", \"delete\"] 
  

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: $1
  namespace: $2
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: $1
subjects:
- kind: ServiceAccount
  name: $1
  namespace: $2

" > /tmp/for_create_user.yml


kubectl create -f /tmp/for_create_user.yml




#for kubeapps  

export KUBEAPPS_NAMESPACE=kubeapps
export KUBEAPPS_RELEASE_NAME=kubeapps
kubectl create -n $KUBEAPPS_NAMESPACE rolebinding $1-$2-kubeapps-repositories-write \
  --role=$KUBEAPPS_RELEASE_NAME-repositories-write \
  --serviceaccount $2:$1


kubectl create -n $KUBEAPPS_NAMESPACE rolebinding $1-$2-kubeapps-repositories-read \
  --role=$KUBEAPPS_RELEASE_NAME-repositories-read \
  --serviceaccount $2:$1


token=`kubectl get secret $(kubectl get serviceaccount $1 -n $2 -o jsonpath='{.secrets[].name}') -n $2 -o jsonpath='{.data.token}' | base64 --decode`
echo $token
echo $token > /tmp/token

删除用户脚本:

#!/bin/sh
#$1 is user name
#$2 is namespace

pos=`expr index $1 _`
if (($pos>0));then
echo "Name cannot contain '_', $1"
exit 1
fi

pos=`expr index $2 _`
if (($pos>0));then
echo "Namespace cannot contain '_', $2"
exit 1
fi


kubectl delete RoleBinding $1 -n $2   
kubectl delete Role $1 -n $2   
kubectl delete ServiceAccount  $1 -n $2


#for kubeapps   

export KUBEAPPS_NAMESPACE=kubeapps
export KUBEAPPS_RELEASE_NAME=kubeapps
kubectl delete -n $KUBEAPPS_NAMESPACE rolebinding $1-$2-kubeapps-repositories-write
kubectl delete -n $KUBEAPPS_NAMESPACE rolebinding $1-$2-kubeapps-repositories-read

 

 类似资料: