Skip to main content
Astra Control Service
所有云提供商
  • Amazon Web Services
  • Google Cloud
  • Microsoft Azure
  • 所有云提供商
简体中文版经机器翻译而成,仅供参考。如与英语版出现任何冲突,应以英语版为准。

创建kubeconfig文件

贡献者
PDF

您可以使用kubeconfig"文件将集群添加到Astra Control Service。根据要添加的集群类型、您可能需要使用特定步骤为集群手动创建kubeconfigfile文件。

为Amazon EKS集群创建kubeconfig.文件

按照以下说明为Amazon EKS集群创建kubeconfigfile文件和永久令牌密钥。EKS中托管的集群需要永久令牌密钥。

步骤

  1. 按照亚马逊文档中的说明生成kubeconfig:

    "为Amazon EKS集群创建或更新kubeconconfig文件"

  2. 按如下所示创建服务帐户:

    1. 创建名为的服务帐户文件 astracontrol-service-account.yaml

      根据需要调整服务帐户名称。命名空间 kube-system 这些步骤需要。如果您在此处更改了服务帐户名称、则应在以下步骤中应用相同的更改。

    astracontrol-service-account.yaml

    +

    apiVersion: v1
kind: ServiceAccount
metadata:
  name: astra-admin-account
  namespace: kube-system

  3. 应用服务帐户:

    kubectl apply -f astracontrol-service-account.yaml

  4. 创建 ClusterRoleBinding 文件已调用 astracontrol-clusterrolebinding.yaml

    astracontrol-clusterrolebinding.yaml
    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: astra-admin-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: astra-admin-account
  namespace: kube-system

  5. 应用集群角色绑定:

    kubectl apply -f astracontrol-clusterrolebinding.yaml

  6. 创建名为的服务帐户令牌机密文件 astracontrol-secret.yaml

    astracontrol-secret.yaml
    apiVersion: v1
kind: Secret
metadata:
  annotations:
    kubernetes.io/service-account.name: astra-admin-account
  name: astra-admin-account
  namespace: kube-system
type: kubernetes.io/service-account-token

  7. 应用令牌密钥:

    kubectl apply -f astracontrol-secret.yaml

  8. 检索令牌密钥:

    kubectl get secret astra-admin-account -n kube-system -o jsonpath='{.data.token}' | base64 -d

  9. 更换 user 部分的AWS EKS kubeconfigconfig文件以及令牌、如以下示例所示:

    user:
    token: k8s-aws-v1.aHR0cHM6Ly9zdHMudXMtd2VzdC0yLmFtYXpvbmF3cy5jb20vP0FjdGlvbj1HZXRDYWxsZXJJZGVudGl0eSZWZXJzaW9uPTIwMTEtMDYtMTUmWC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBM1JEWDdKU0haWU9LSEQ2SyUyRjIwMjMwNDAzJTJGdXMtd2VzdC0yJTJGc3RzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyMzA0MDNUMjA0MzQwWiZYLUFtei1FeHBpcmVzPTYwJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCUzQngtazhzLWF3cy1pZCZYLUFtei1TaWduYXR1cmU9YjU4ZWM0NzdiM2NkZGYxNGRhNzU4MGI2ZWQ2zY2NzI2YWIwM2UyNThjMjRhNTJjNmVhNjc4MTRlNjJkOTg2Mg

为AWS (ROSA)集群上的Red Hat OpenShift Service创建一个kubeconfigfile文件

按照以下说明为Red Hat OpenShift Service on AWS (ROSA)集群创建kubeconfigTM文件。

步骤

  1. 登录到ROSA集群。

  2. 创建服务帐户:

    oc create sa astracontrol-service-account

  3. 添加集群角色:

    oc adm policy add-cluster-role-to-user cluster-admin -z astracontrol-service-account

  4. 使用以下示例、创建一个服务帐户机密配置文件:

    secret-astra-sa.yaml
    apiVersion: v1
kind: Secret
metadata:
  name: secret-astracontrol-service-account
  annotations:
    kubernetes.io/service-account.name: "astracontrol-service-account"
type: kubernetes.io/service-account-token

  5. 创建密钥:

    oc create -f secret-astra-sa.yaml

  6. 编辑您创建的服务帐户、并将Astra Control服务帐户机密名称添加到中 secrets 部分。

    oc edit sa astracontrol-service-account
    apiVersion: v1
imagePullSecrets:
- name: astracontrol-service-account-dockercfg-dvfcd
kind: ServiceAccount
metadata:
  creationTimestamp: "2023-08-04T04:18:30Z"
  name: astracontrol-service-account
  namespace: default
  resourceVersion: "169770"
  uid: 965fa151-923f-4fbd-9289-30cad15998ac
secrets:
- name: astracontrol-service-account-dockercfg-dvfcd
- name: secret-astracontrol-service-account ####ADD THIS ONLY####

  7. 列出服务帐户密码、替换 <CONTEXT> 使用适用于您的安装的正确环境:

    kubectl get serviceaccount astracontrol-service-account --context <CONTEXT> --namespace default -o json

    输出的结尾应类似于以下内容:

    "secrets": [
{ "name": "astracontrol-service-account-dockercfg-dvfcd"},
{ "name": "secret-astracontrol-service-account"}
]

    中每个元素的索引 secrets 阵列以0开头。在上面的示例中、是的索引 astracontrol-service-account-dockercfg-dvfcd 将为0、并为创建索引 secret-astracontrol-service-account 将为1。在输出中、记下服务帐户密钥的索引编号。在下一步中、您将需要此索引编号。

  8. 按如下所示生成 kubeconfig :

    1. 创建 create-kubeconfig.sh 文件替换 TOKEN_INDEX 在以下脚本的开头、使用正确的值。

      create-kubeconfig.sh
      # Update these to match your environment.
# Replace TOKEN_INDEX with the correct value
# from the output in the previous step. If you
# didn't change anything else above, don't change
# anything else here.

SERVICE_ACCOUNT_NAME=astracontrol-service-account
NAMESPACE=default
NEW_CONTEXT=astracontrol
KUBECONFIG_FILE='kubeconfig-sa'

CONTEXT=$(kubectl config current-context)

SECRET_NAME=$(kubectl get serviceaccount ${SERVICE_ACCOUNT_NAME} \
  --context ${CONTEXT} \
  --namespace ${NAMESPACE} \
  -o jsonpath='{.secrets[TOKEN_INDEX].name}')
TOKEN_DATA=$(kubectl get secret ${SECRET_NAME} \
  --context ${CONTEXT} \
  --namespace ${NAMESPACE} \
  -o jsonpath='{.data.token}')

TOKEN=$(echo ${TOKEN_DATA} | base64 -d)

# Create dedicated kubeconfig
# Create a full copy
kubectl config view --raw > ${KUBECONFIG_FILE}.full.tmp

# Switch working context to correct context
kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp config use-context ${CONTEXT}

# Minify
kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp \
  config view --flatten --minify > ${KUBECONFIG_FILE}.tmp

# Rename context
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
  rename-context ${CONTEXT} ${NEW_CONTEXT}

# Create token user
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
  set-credentials ${CONTEXT}-${NAMESPACE}-token-user \
  --token ${TOKEN}

# Set context to use token user
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
  set-context ${NEW_CONTEXT} --user ${CONTEXT}-${NAMESPACE}-token-user

# Set context to correct namespace
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
  set-context ${NEW_CONTEXT} --namespace ${NAMESPACE}

# Flatten/minify kubeconfig
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
  view --flatten --minify > ${KUBECONFIG_FILE}

# Remove tmp
rm ${KUBECONFIG_FILE}.full.tmp
rm ${KUBECONFIG_FILE}.tmp

    2. 获取用于将其应用于 Kubernetes 集群的命令。

      source create-kubeconfig.sh

  9. (可选)将kubeconfig重命名为集群的有意义名称。

    mv kubeconfig-sa YOUR_CLUSTER_NAME_kubeconfig

为其他类型的集群创建kubeconfig.文件

按照以下说明为然彻集群、上游Kubernetes集群和Red Hat OpenShift集群创建有限或扩展的角色kubeconconfig文件。

对于使用kubeconfig"管理的集群、您可以选择为Astra Control Service创建有限权限或扩展权限管理员角色。

如果您适用场景的环境发生以下任一情况、则此操作步骤可帮助您创建一个单独的kubeconfig:

  • 您希望限制Astra Control对其管理的集群的权限

  • 您使用多个环境、并且不能使用在安装期间配置的默认Asta Control kubeconfig,否则在您的环境中使用单一环境的有限角色将不起作用

开始之前

在完成操作步骤 步骤之前、请确保您对要管理的集群具有以下信息:

  • "支持的版本" 已安装kubeck.

  • 对要使用Astra Control Service添加和管理的集群的kubect访问权限

    备注 对于此操作步骤、您不需要对运行Astra控制服务的集群进行kubect访问。

  • 要使用活动环境的集群管理员权限管理的集群的活动kubeconfig

步骤

  1. 创建服务帐户:

    1. 创建名为的服务帐户文件 astracontrol-service-account.yaml

      astracontrol-service-account.yaml
      apiVersion: v1
kind: ServiceAccount
metadata:
  name: astracontrol-service-account
  namespace: default

    2. 应用服务帐户:

      kubectl apply -f astracontrol-service-account.yaml

  2. 创建以下具有足够权限的集群角色之一、以使集群由Astra Control管理:

    集群角色受限

    此角色包含由Asta Control管理集群所需的最低权限:

    1. 创建 ClusterRole 文件、例如、 astra-admin-account.yaml

      astra-admin-account.yaml
      apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: astra-admin-account
rules:

# Get, List, Create, and Update all resources
# Necessary to backup and restore all resources in an app
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - get
  - list
  - create
  - patch

# Delete Resources
# Necessary for in-place restore and AppMirror failover
- apiGroups:
  - ""
  - apps
  - autoscaling
  - batch
  - crd.projectcalico.org
  - extensions
  - networking.k8s.io
  - policy
  - rbac.authorization.k8s.io
  - snapshot.storage.k8s.io
  - trident.netapp.io
  resources:
  - configmaps
  - cronjobs
  - daemonsets
  - deployments
  - horizontalpodautoscalers
  - ingresses
  - jobs
  - namespaces
  - networkpolicies
  - persistentvolumeclaims
  - poddisruptionbudgets
  - pods
  - podtemplates
  - replicasets
  - replicationcontrollers
  - replicationcontrollers/scale
  - rolebindings
  - roles
  - secrets
  - serviceaccounts
  - services
  - statefulsets
  - tridentmirrorrelationships
  - tridentsnapshotinfos
  - volumesnapshots
  - volumesnapshotcontents
  verbs:
  - delete

# Watch resources
# Necessary to monitor progress
- apiGroups:
  - ""
  resources:
  - pods
  - replicationcontrollers
  - replicationcontrollers/scale
  verbs:
  - watch

# Update resources
- apiGroups:
  - ""
  - build.openshift.io
  - image.openshift.io
  resources:
  - builds/details
  - replicationcontrollers
  - replicationcontrollers/scale
  - imagestreams/layers
  - imagestreamtags
  - imagetags
  verbs:
  - update

    2. (仅适用于OpenShift集群)在末尾附加以下内容 astra-admin-account.yaml 文件:

      # OpenShift security
- apiGroups:
  - security.openshift.io
  resources:
  - securitycontextconstraints
  verbs:
  - use
  - update

    3. 应用集群角色:

      kubectl apply -f astra-admin-account.yaml
    已扩展集群角色

    此角色包含要由Asta Control管理的集群的扩展权限。如果您使用多个环境,并且无法使用在安装期间配置的默认Asta Control kubeconfig,则可以使用此角色,否则在您的环境中,只使用一个环境的有限角色将不起作用:

    备注 以下内容 ClusterRole 步骤是一个常规Kubbernetes示例。有关特定于您的环境的说明、请参见Kubennetes分发版的文档。

    1. 创建 ClusterRole 文件、例如、 astra-admin-account.yaml

      astra-admin-account.yaml
      apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: astra-admin-account
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
- nonResourceURLs:
  - '*'
  verbs:
  - '*'

    2. 应用集群角色:

      kubectl apply -f astra-admin-account.yaml

  3. 为集群角色创建与服务帐户的集群角色绑定:

    1. 创建 ClusterRoleBinding 文件已调用 astracontrol-clusterrolebinding.yaml

      astracontrol-clusterrolebinding.yaml
      apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: astracontrol-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: astra-admin-account
subjects:
- kind: ServiceAccount
  name: astracontrol-service-account
  namespace: default

    2. 应用集群角色绑定:

      kubectl apply -f astracontrol-clusterrolebinding.yaml

  4. 创建并应用令牌密钥:

    1. 创建名为的令牌机密文件 secret-astracontrol-service-account.yaml

      secret-astracontrol-service-account.yaml
      apiVersion: v1
kind: Secret
metadata:
  name: secret-astracontrol-service-account
  namespace: default
  annotations:
    kubernetes.io/service-account.name: "astracontrol-service-account"
type: kubernetes.io/service-account-token

    2. 应用令牌密钥:

      kubectl apply -f secret-astracontrol-service-account.yaml

  5. 通过将令牌密钥名称添加到、将其添加到服务帐户 secrets 数组(以下示例中的最后一行):

    kubectl edit sa astracontrol-service-account
    apiVersion: v1
imagePullSecrets:
- name: astracontrol-service-account-dockercfg-48xhx
kind: ServiceAccount
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"name":"astracontrol-service-account","namespace":"default"}}
  creationTimestamp: "2023-06-14T15:25:45Z"
  name: astracontrol-service-account
  namespace: default
  resourceVersion: "2767069"
  uid: 2ce068c4-810e-4a96-ada3-49cbf9ec3f89
secrets:
- name: astracontrol-service-account-dockercfg-48xhx
- name: secret-astracontrol-service-account

  6. 列出服务帐户密码、替换 <context> 使用适用于您的安装的正确环境:

    kubectl get serviceaccount astracontrol-service-account --context <context> --namespace default -o json

    输出的结尾应类似于以下内容:

    "secrets": [
{ "name": "astracontrol-service-account-dockercfg-48xhx"},
{ "name": "secret-astracontrol-service-account"}
]

    中每个元素的索引 secrets 阵列以0开头。在上面的示例中、是的索引 astracontrol-service-account-dockercfg-48xhx 将为0、并为创建索引 secret-astracontrol-service-account 将为1。在输出中、记下服务帐户密钥的索引编号。在下一步中、您将需要此索引编号。

  7. 按如下所示生成 kubeconfig :

    1. 创建 create-kubeconfig.sh 文件

    2. 替换 TOKEN_INDEX 在以下脚本的开头、使用正确的值。

      create-kubeconfig.sh
      # Update these to match your environment.
# Replace TOKEN_INDEX with the correct value
# from the output in the previous step. If you
# didn't change anything else above, don't change
# anything else here.

SERVICE_ACCOUNT_NAME=astracontrol-service-account
NAMESPACE=default
NEW_CONTEXT=astracontrol
KUBECONFIG_FILE='kubeconfig-sa'

CONTEXT=$(kubectl config current-context)

SECRET_NAME=$(kubectl get serviceaccount ${SERVICE_ACCOUNT_NAME} \
  --context ${CONTEXT} \
  --namespace ${NAMESPACE} \
  -o jsonpath='{.secrets[TOKEN_INDEX].name}')
TOKEN_DATA=$(kubectl get secret ${SECRET_NAME} \
  --context ${CONTEXT} \
  --namespace ${NAMESPACE} \
  -o jsonpath='{.data.token}')

TOKEN=$(echo ${TOKEN_DATA} | base64 -d)

# Create dedicated kubeconfig
# Create a full copy
kubectl config view --raw > ${KUBECONFIG_FILE}.full.tmp

# Switch working context to correct context
kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp config use-context ${CONTEXT}

# Minify
kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp \
  config view --flatten --minify > ${KUBECONFIG_FILE}.tmp

# Rename context
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
  rename-context ${CONTEXT} ${NEW_CONTEXT}

# Create token user
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
  set-credentials ${CONTEXT}-${NAMESPACE}-token-user \
  --token ${TOKEN}

# Set context to use token user
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
  set-context ${NEW_CONTEXT} --user ${CONTEXT}-${NAMESPACE}-token-user

# Set context to correct namespace
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
  set-context ${NEW_CONTEXT} --namespace ${NAMESPACE}

# Flatten/minify kubeconfig
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
  view --flatten --minify > ${KUBECONFIG_FILE}

# Remove tmp
rm ${KUBECONFIG_FILE}.full.tmp
rm ${KUBECONFIG_FILE}.tmp

    3. 获取用于将其应用于 Kubernetes 集群的命令。

      source create-kubeconfig.sh

  8. (可选)将kubeconfig重命名为集群的有意义名称。

    mv kubeconfig-sa YOUR_CLUSTER_NAME_kubeconfig