Skip to main content
Astra Control Service
所有云提供商
  • Amazon Web Services
  • Google Cloud
  • Microsoft Azure
  • 所有云提供商
简体中文版经机器翻译而成,仅供参考。如与英语版出现任何冲突,应以英语版为准。

创建kubeconfig文件

贡献者

您可以使用kubeconfig"文件将集群添加到Astra Control Service。根据要添加的集群类型、您可能需要使用特定步骤为集群手动创建kubeconfigfile文件。

为Amazon EKS集群创建kubeconfig.文件

按照以下说明为Amazon EKS集群创建kubeconfigfile文件和永久令牌密钥。EKS中托管的集群需要永久令牌密钥。

步骤
  1. 按照亚马逊文档中的说明生成kubeconfig:

  2. 按如下所示创建服务帐户:

    1. 创建名为的服务帐户文件 astracontrol-service-account.yaml

      根据需要调整服务帐户名称。命名空间 kube-system 这些步骤需要。如果您在此处更改了服务帐户名称、则应在以下步骤中应用相同的更改。

    astracontrol-service-account.yaml

    +

    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: astra-admin-account
      namespace: kube-system
  3. 应用服务帐户:

    kubectl apply -f astracontrol-service-account.yaml
  4. 创建 ClusterRoleBinding 文件已调用 astracontrol-clusterrolebinding.yaml

    astracontrol-clusterrolebinding.yaml
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: astra-admin-binding
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cluster-admin
    subjects:
    - kind: ServiceAccount
      name: astra-admin-account
      namespace: kube-system
  5. 应用集群角色绑定:

    kubectl apply -f astracontrol-clusterrolebinding.yaml
  6. 创建名为的服务帐户令牌机密文件 astracontrol-secret.yaml

    astracontrol-secret.yaml
    apiVersion: v1
    kind: Secret
    metadata:
      annotations:
        kubernetes.io/service-account.name: astra-admin-account
      name: astra-admin-account
      namespace: kube-system
    type: kubernetes.io/service-account-token
  7. 应用令牌密钥:

    kubectl apply -f astracontrol-secret.yaml
  8. 检索令牌密钥:

    kubectl get secret astra-admin-account -n kube-system -o jsonpath='{.data.token}' | base64 -d
  9. 更换 user 部分的AWS EKS kubeconfigconfig文件以及令牌、如以下示例所示:

    user:
        token: k8s-aws-v1.aHR0cHM6Ly9zdHMudXMtd2VzdC0yLmFtYXpvbmF3cy5jb20vP0FjdGlvbj1HZXRDYWxsZXJJZGVudGl0eSZWZXJzaW9uPTIwMTEtMDYtMTUmWC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBM1JEWDdKU0haWU9LSEQ2SyUyRjIwMjMwNDAzJTJGdXMtd2VzdC0yJTJGc3RzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyMzA0MDNUMjA0MzQwWiZYLUFtei1FeHBpcmVzPTYwJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCUzQngtazhzLWF3cy1pZCZYLUFtei1TaWduYXR1cmU9YjU4ZWM0NzdiM2NkZGYxNGRhNzU4MGI2ZWQ2zY2NzI2YWIwM2UyNThjMjRhNTJjNmVhNjc4MTRlNjJkOTg2Mg

为AWS (ROSA)集群上的Red Hat OpenShift Service创建一个kubeconfigfile文件

按照以下说明为Red Hat OpenShift Service on AWS (ROSA)集群创建kubeconfigTM文件。

步骤
  1. 登录到ROSA集群。

  2. 创建服务帐户:

    oc create sa astracontrol-service-account
  3. 添加集群角色:

    oc adm policy add-cluster-role-to-user cluster-admin -z astracontrol-service-account
  4. 使用以下示例、创建一个服务帐户机密配置文件:

    secret-astra-sa.yaml
    apiVersion: v1
    kind: Secret
    metadata:
      name: secret-astracontrol-service-account
      annotations:
        kubernetes.io/service-account.name: "astracontrol-service-account"
    type: kubernetes.io/service-account-token
  5. 创建密钥:

    oc create -f secret-astra-sa.yaml
  6. 编辑您创建的服务帐户、并将Astra Control服务帐户机密名称添加到中 secrets 部分。

    oc edit sa astracontrol-service-account
    apiVersion: v1
    imagePullSecrets:
    - name: astracontrol-service-account-dockercfg-dvfcd
    kind: ServiceAccount
    metadata:
      creationTimestamp: "2023-08-04T04:18:30Z"
      name: astracontrol-service-account
      namespace: default
      resourceVersion: "169770"
      uid: 965fa151-923f-4fbd-9289-30cad15998ac
    secrets:
    - name: astracontrol-service-account-dockercfg-dvfcd
    - name: secret-astracontrol-service-account ####ADD THIS ONLY####
  7. 列出服务帐户密码、替换 <CONTEXT> 使用适用于您的安装的正确环境:

    kubectl get serviceaccount astracontrol-service-account --context <CONTEXT> --namespace default -o json

    输出的结尾应类似于以下内容:

    "secrets": [
    { "name": "astracontrol-service-account-dockercfg-dvfcd"},
    { "name": "secret-astracontrol-service-account"}
    ]

    中每个元素的索引 secrets 阵列以0开头。在上面的示例中、是的索引 astracontrol-service-account-dockercfg-dvfcd 将为0、并为创建索引 secret-astracontrol-service-account 将为1。在输出中、记下服务帐户密钥的索引编号。在下一步中、您将需要此索引编号。

  8. 按如下所示生成 kubeconfig :

    1. 创建 create-kubeconfig.sh 文件替换 TOKEN_INDEX 在以下脚本的开头、使用正确的值。

      create-kubeconfig.sh
      # Update these to match your environment.
      # Replace TOKEN_INDEX with the correct value
      # from the output in the previous step. If you
      # didn't change anything else above, don't change
      # anything else here.
      
      SERVICE_ACCOUNT_NAME=astracontrol-service-account
      NAMESPACE=default
      NEW_CONTEXT=astracontrol
      KUBECONFIG_FILE='kubeconfig-sa'
      
      CONTEXT=$(kubectl config current-context)
      
      SECRET_NAME=$(kubectl get serviceaccount ${SERVICE_ACCOUNT_NAME} \
        --context ${CONTEXT} \
        --namespace ${NAMESPACE} \
        -o jsonpath='{.secrets[TOKEN_INDEX].name}')
      TOKEN_DATA=$(kubectl get secret ${SECRET_NAME} \
        --context ${CONTEXT} \
        --namespace ${NAMESPACE} \
        -o jsonpath='{.data.token}')
      
      TOKEN=$(echo ${TOKEN_DATA} | base64 -d)
      
      # Create dedicated kubeconfig
      # Create a full copy
      kubectl config view --raw > ${KUBECONFIG_FILE}.full.tmp
      
      # Switch working context to correct context
      kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp config use-context ${CONTEXT}
      
      # Minify
      kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp \
        config view --flatten --minify > ${KUBECONFIG_FILE}.tmp
      
      # Rename context
      kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
        rename-context ${CONTEXT} ${NEW_CONTEXT}
      
      # Create token user
      kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
        set-credentials ${CONTEXT}-${NAMESPACE}-token-user \
        --token ${TOKEN}
      
      # Set context to use token user
      kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
        set-context ${NEW_CONTEXT} --user ${CONTEXT}-${NAMESPACE}-token-user
      
      # Set context to correct namespace
      kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
        set-context ${NEW_CONTEXT} --namespace ${NAMESPACE}
      
      # Flatten/minify kubeconfig
      kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
        view --flatten --minify > ${KUBECONFIG_FILE}
      
      # Remove tmp
      rm ${KUBECONFIG_FILE}.full.tmp
      rm ${KUBECONFIG_FILE}.tmp
    2. 获取用于将其应用于 Kubernetes 集群的命令。

      source create-kubeconfig.sh
  9. (可选)将kubeconfig重命名为集群的有意义名称。

    mv kubeconfig-sa YOUR_CLUSTER_NAME_kubeconfig

为其他类型的集群创建kubeconfig.文件

按照以下说明为然彻集群、上游Kubernetes集群和Red Hat OpenShift集群创建有限或扩展的角色kubeconconfig文件。

对于使用kubeconfig"管理的集群、您可以选择为Astra Control Service创建有限权限或扩展权限管理员角色。

如果您适用场景的环境发生以下任一情况、则此操作步骤可帮助您创建一个单独的kubeconfig:

  • 您希望限制Astra Control对其管理的集群的权限

  • 您使用多个环境、并且不能使用在安装期间配置的默认Asta Control kubeconfig,否则在您的环境中使用单一环境的有限角色将不起作用

开始之前

在完成操作步骤 步骤之前、请确保您对要管理的集群具有以下信息:

  • "支持的版本" 已安装kubeck.

  • 对要使用Astra Control Service添加和管理的集群的kubect访问权限

    备注 对于此操作步骤、您不需要对运行Astra控制服务的集群进行kubect访问。
  • 要使用活动环境的集群管理员权限管理的集群的活动kubeconfig

步骤
  1. 创建服务帐户:

    1. 创建名为的服务帐户文件 astracontrol-service-account.yaml

      astracontrol-service-account.yaml
      apiVersion: v1
      kind: ServiceAccount
      metadata:
        name: astracontrol-service-account
        namespace: default
    2. 应用服务帐户:

      kubectl apply -f astracontrol-service-account.yaml
  2. 创建以下具有足够权限的集群角色之一、以使集群由Astra Control管理:

    集群角色受限

    此角色包含由Asta Control管理集群所需的最低权限:

    1. 创建 ClusterRole 文件、例如、 astra-admin-account.yaml

      astra-admin-account.yaml
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRole
      metadata:
        name: astra-admin-account
      rules:
      
      # Get, List, Create, and Update all resources
      # Necessary to backup and restore all resources in an app
      - apiGroups:
        - '*'
        resources:
        - '*'
        verbs:
        - get
        - list
        - create
        - patch
      
      # Delete Resources
      # Necessary for in-place restore and AppMirror failover
      - apiGroups:
        - ""
        - apps
        - autoscaling
        - batch
        - crd.projectcalico.org
        - extensions
        - networking.k8s.io
        - policy
        - rbac.authorization.k8s.io
        - snapshot.storage.k8s.io
        - trident.netapp.io
        resources:
        - configmaps
        - cronjobs
        - daemonsets
        - deployments
        - horizontalpodautoscalers
        - ingresses
        - jobs
        - namespaces
        - networkpolicies
        - persistentvolumeclaims
        - poddisruptionbudgets
        - pods
        - podtemplates
        - replicasets
        - replicationcontrollers
        - replicationcontrollers/scale
        - rolebindings
        - roles
        - secrets
        - serviceaccounts
        - services
        - statefulsets
        - tridentmirrorrelationships
        - tridentsnapshotinfos
        - volumesnapshots
        - volumesnapshotcontents
        verbs:
        - delete
      
      # Watch resources
      # Necessary to monitor progress
      - apiGroups:
        - ""
        resources:
        - pods
        - replicationcontrollers
        - replicationcontrollers/scale
        verbs:
        - watch
      
      # Update resources
      - apiGroups:
        - ""
        - build.openshift.io
        - image.openshift.io
        resources:
        - builds/details
        - replicationcontrollers
        - replicationcontrollers/scale
        - imagestreams/layers
        - imagestreamtags
        - imagetags
        verbs:
        - update
    2. (仅适用于OpenShift集群)在末尾附加以下内容 astra-admin-account.yaml 文件:

      # OpenShift security
      - apiGroups:
        - security.openshift.io
        resources:
        - securitycontextconstraints
        verbs:
        - use
        - update
    3. 应用集群角色:

      kubectl apply -f astra-admin-account.yaml
    已扩展集群角色

    此角色包含要由Asta Control管理的集群的扩展权限。如果您使用多个环境,并且无法使用在安装期间配置的默认Asta Control kubeconfig,则可以使用此角色,否则在您的环境中,只使用一个环境的有限角色将不起作用:

    备注 以下内容 ClusterRole 步骤是一个常规Kubbernetes示例。有关特定于您的环境的说明、请参见Kubennetes分发版的文档。
    1. 创建 ClusterRole 文件、例如、 astra-admin-account.yaml

      astra-admin-account.yaml
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRole
      metadata:
        name: astra-admin-account
      rules:
      - apiGroups:
        - '*'
        resources:
        - '*'
        verbs:
        - '*'
      - nonResourceURLs:
        - '*'
        verbs:
        - '*'
    2. 应用集群角色:

      kubectl apply -f astra-admin-account.yaml
  3. 为集群角色创建与服务帐户的集群角色绑定:

    1. 创建 ClusterRoleBinding 文件已调用 astracontrol-clusterrolebinding.yaml

      astracontrol-clusterrolebinding.yaml
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        name: astracontrol-admin
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: astra-admin-account
      subjects:
      - kind: ServiceAccount
        name: astracontrol-service-account
        namespace: default
    2. 应用集群角色绑定:

      kubectl apply -f astracontrol-clusterrolebinding.yaml
  4. 创建并应用令牌密钥:

    1. 创建名为的令牌机密文件 secret-astracontrol-service-account.yaml

      secret-astracontrol-service-account.yaml
      apiVersion: v1
      kind: Secret
      metadata:
        name: secret-astracontrol-service-account
        namespace: default
        annotations:
          kubernetes.io/service-account.name: "astracontrol-service-account"
      type: kubernetes.io/service-account-token
    2. 应用令牌密钥:

      kubectl apply -f secret-astracontrol-service-account.yaml
  5. 通过将令牌密钥名称添加到、将其添加到服务帐户 secrets 数组(以下示例中的最后一行):

    kubectl edit sa astracontrol-service-account
    apiVersion: v1
    imagePullSecrets:
    - name: astracontrol-service-account-dockercfg-48xhx
    kind: ServiceAccount
    metadata:
      annotations:
        kubectl.kubernetes.io/last-applied-configuration: |
          {"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"name":"astracontrol-service-account","namespace":"default"}}
      creationTimestamp: "2023-06-14T15:25:45Z"
      name: astracontrol-service-account
      namespace: default
      resourceVersion: "2767069"
      uid: 2ce068c4-810e-4a96-ada3-49cbf9ec3f89
    secrets:
    - name: astracontrol-service-account-dockercfg-48xhx
    - name: secret-astracontrol-service-account
  6. 列出服务帐户密码、替换 <context> 使用适用于您的安装的正确环境:

    kubectl get serviceaccount astracontrol-service-account --context <context> --namespace default -o json

    输出的结尾应类似于以下内容:

    "secrets": [
    { "name": "astracontrol-service-account-dockercfg-48xhx"},
    { "name": "secret-astracontrol-service-account"}
    ]

    中每个元素的索引 secrets 阵列以0开头。在上面的示例中、是的索引 astracontrol-service-account-dockercfg-48xhx 将为0、并为创建索引 secret-astracontrol-service-account 将为1。在输出中、记下服务帐户密钥的索引编号。在下一步中、您将需要此索引编号。

  7. 按如下所示生成 kubeconfig :

    1. 创建 create-kubeconfig.sh 文件

    2. 替换 TOKEN_INDEX 在以下脚本的开头、使用正确的值。

      create-kubeconfig.sh
      # Update these to match your environment.
      # Replace TOKEN_INDEX with the correct value
      # from the output in the previous step. If you
      # didn't change anything else above, don't change
      # anything else here.
      
      SERVICE_ACCOUNT_NAME=astracontrol-service-account
      NAMESPACE=default
      NEW_CONTEXT=astracontrol
      KUBECONFIG_FILE='kubeconfig-sa'
      
      CONTEXT=$(kubectl config current-context)
      
      SECRET_NAME=$(kubectl get serviceaccount ${SERVICE_ACCOUNT_NAME} \
        --context ${CONTEXT} \
        --namespace ${NAMESPACE} \
        -o jsonpath='{.secrets[TOKEN_INDEX].name}')
      TOKEN_DATA=$(kubectl get secret ${SECRET_NAME} \
        --context ${CONTEXT} \
        --namespace ${NAMESPACE} \
        -o jsonpath='{.data.token}')
      
      TOKEN=$(echo ${TOKEN_DATA} | base64 -d)
      
      # Create dedicated kubeconfig
      # Create a full copy
      kubectl config view --raw > ${KUBECONFIG_FILE}.full.tmp
      
      # Switch working context to correct context
      kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp config use-context ${CONTEXT}
      
      # Minify
      kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp \
        config view --flatten --minify > ${KUBECONFIG_FILE}.tmp
      
      # Rename context
      kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
        rename-context ${CONTEXT} ${NEW_CONTEXT}
      
      # Create token user
      kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
        set-credentials ${CONTEXT}-${NAMESPACE}-token-user \
        --token ${TOKEN}
      
      # Set context to use token user
      kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
        set-context ${NEW_CONTEXT} --user ${CONTEXT}-${NAMESPACE}-token-user
      
      # Set context to correct namespace
      kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
        set-context ${NEW_CONTEXT} --namespace ${NAMESPACE}
      
      # Flatten/minify kubeconfig
      kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
        view --flatten --minify > ${KUBECONFIG_FILE}
      
      # Remove tmp
      rm ${KUBECONFIG_FILE}.full.tmp
      rm ${KUBECONFIG_FILE}.tmp
    3. 获取用于将其应用于 Kubernetes 集群的命令。

      source create-kubeconfig.sh
  8. (可选)将kubeconfig重命名为集群的有意义名称。

    mv kubeconfig-sa YOUR_CLUSTER_NAME_kubeconfig