简体中文版经机器翻译而成，仅供参考。如与英语版出现任何冲突，应以英语版为准。

创建kubeconfig文件

03/21/2024 贡献者

PDF

您可以使用kubeconfig"文件将集群添加到Astra Control Service。根据要添加的集群类型、您可能需要使用特定步骤为集群手动创建kubeconfigfile文件。

为Amazon EKS集群创建kubeconfig.文件
为AWS (ROSA)集群上的Red Hat OpenShift Service创建一个kubeconfigfile文件
[为其他类型的集群创建kubeconfig.文件]

为Amazon EKS集群创建kubeconfig.文件

按照以下说明为Amazon EKS集群创建kubeconfigfile文件和永久令牌密钥。EKS中托管的集群需要永久令牌密钥。

步骤

按照亚马逊文档中的说明生成kubeconfig:

"为Amazon EKS集群创建或更新kubeconconfig文件"
按如下所示创建服务帐户：
1. 创建名为的服务帐户文件 astracontrol-service-account.yaml。
  
  根据需要调整服务帐户名称。命名空间 kube-system 这些步骤需要。如果您在此处更改了服务帐户名称、则应在以下步骤中应用相同的更改。
```
astracontrol-service-account.yaml
```
+
```
apiVersion: v1
kind: ServiceAccount
metadata:
  name: astra-admin-account
  namespace: kube-system
```

应用服务帐户：

kubectl apply -f astracontrol-service-account.yaml

创建 ClusterRoleBinding 文件已调用 astracontrol-clusterrolebinding.yaml。

astracontrol-clusterrolebinding.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: astra-admin-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: astra-admin-account
  namespace: kube-system

应用集群角色绑定：

kubectl apply -f astracontrol-clusterrolebinding.yaml

创建名为的服务帐户令牌机密文件 astracontrol-secret.yaml。

astracontrol-secret.yaml

apiVersion: v1
kind: Secret
metadata:
  annotations:
    kubernetes.io/service-account.name: astra-admin-account
  name: astra-admin-account
  namespace: kube-system
type: kubernetes.io/service-account-token

应用令牌密钥：

kubectl apply -f astracontrol-secret.yaml

检索令牌密钥：

kubectl get secret astra-admin-account -n kube-system -o jsonpath='{.data.token}' | base64 -d

更换 user 部分的AWS EKS kubeconfigconfig文件以及令牌、如以下示例所示：

user:
    token: k8s-aws-v1.aHR0cHM6Ly9zdHMudXMtd2VzdC0yLmFtYXpvbmF3cy5jb20vP0FjdGlvbj1HZXRDYWxsZXJJZGVudGl0eSZWZXJzaW9uPTIwMTEtMDYtMTUmWC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBM1JEWDdKU0haWU9LSEQ2SyUyRjIwMjMwNDAzJTJGdXMtd2VzdC0yJTJGc3RzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyMzA0MDNUMjA0MzQwWiZYLUFtei1FeHBpcmVzPTYwJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCUzQngtazhzLWF3cy1pZCZYLUFtei1TaWduYXR1cmU9YjU4ZWM0NzdiM2NkZGYxNGRhNzU4MGI2ZWQ2zY2NzI2YWIwM2UyNThjMjRhNTJjNmVhNjc4MTRlNjJkOTg2Mg

为AWS (ROSA)集群上的Red Hat OpenShift Service创建一个kubeconfigfile文件

按照以下说明为Red Hat OpenShift Service on AWS (ROSA)集群创建kubeconfigTM文件。

步骤

登录到ROSA集群。

创建服务帐户：

oc create sa astracontrol-service-account

添加集群角色：

oc adm policy add-cluster-role-to-user cluster-admin -z astracontrol-service-account

使用以下示例、创建一个服务帐户机密配置文件：

secret-astra-sa.yaml

apiVersion: v1
kind: Secret
metadata:
  name: secret-astracontrol-service-account
  annotations:
    kubernetes.io/service-account.name: "astracontrol-service-account"
type: kubernetes.io/service-account-token

创建密钥：
```
oc create -f secret-astra-sa.yaml
```

编辑您创建的服务帐户、并将Astra Control服务帐户机密名称添加到中 secrets 部分。

oc edit sa astracontrol-service-account

apiVersion: v1
imagePullSecrets:
- name: astracontrol-service-account-dockercfg-dvfcd
kind: ServiceAccount
metadata:
  creationTimestamp: "2023-08-04T04:18:30Z"
  name: astracontrol-service-account
  namespace: default
  resourceVersion: "169770"
  uid: 965fa151-923f-4fbd-9289-30cad15998ac
secrets:
- name: astracontrol-service-account-dockercfg-dvfcd
- name: secret-astracontrol-service-account ####ADD THIS ONLY####

列出服务帐户密码、替换 <CONTEXT> 使用适用于您的安装的正确环境：
```
kubectl get serviceaccount astracontrol-service-account --context <CONTEXT> --namespace default -o json
```
输出的结尾应类似于以下内容：
```
"secrets": [
{ "name": "astracontrol-service-account-dockercfg-dvfcd"},
{ "name": "secret-astracontrol-service-account"}
]
```
中每个元素的索引 secrets 阵列以0开头。在上面的示例中、是的索引 astracontrol-service-account-dockercfg-dvfcd 将为0、并为创建索引 secret-astracontrol-service-account 将为1。在输出中、记下服务帐户密钥的索引编号。在下一步中、您将需要此索引编号。

按如下所示生成 kubeconfig ：

创建 create-kubeconfig.sh 文件替换 TOKEN_INDEX 在以下脚本的开头、使用正确的值。

create-kubeconfig.sh

# Update these to match your environment.
# Replace TOKEN_INDEX with the correct value
# from the output in the previous step. If you
# didn't change anything else above, don't change
# anything else here.

SERVICE_ACCOUNT_NAME=astracontrol-service-account
NAMESPACE=default
NEW_CONTEXT=astracontrol
KUBECONFIG_FILE='kubeconfig-sa'

CONTEXT=$(kubectl config current-context)

SECRET_NAME=$(kubectl get serviceaccount ${SERVICE_ACCOUNT_NAME} \
  --context ${CONTEXT} \
  --namespace ${NAMESPACE} \
  -o jsonpath='{.secrets[TOKEN_INDEX].name}')
TOKEN_DATA=$(kubectl get secret ${SECRET_NAME} \
  --context ${CONTEXT} \
  --namespace ${NAMESPACE} \
  -o jsonpath='{.data.token}')

TOKEN=$(echo ${TOKEN_DATA} | base64 -d)

# Create dedicated kubeconfig
# Create a full copy
kubectl config view --raw > ${KUBECONFIG_FILE}.full.tmp

# Switch working context to correct context
kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp config use-context ${CONTEXT}

# Minify
kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp \
  config view --flatten --minify > ${KUBECONFIG_FILE}.tmp

# Rename context
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
  rename-context ${CONTEXT} ${NEW_CONTEXT}

# Create token user
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
  set-credentials ${CONTEXT}-${NAMESPACE}-token-user \
  --token ${TOKEN}

# Set context to use token user
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
  set-context ${NEW_CONTEXT} --user ${CONTEXT}-${NAMESPACE}-token-user

# Set context to correct namespace
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
  set-context ${NEW_CONTEXT} --namespace ${NAMESPACE}

# Flatten/minify kubeconfig
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
  view --flatten --minify > ${KUBECONFIG_FILE}

# Remove tmp
rm ${KUBECONFIG_FILE}.full.tmp
rm ${KUBECONFIG_FILE}.tmp

获取用于将其应用于 Kubernetes 集群的命令。
```
source create-kubeconfig.sh
```

(可选)将kubeconfig重命名为集群的有意义名称。
```
mv kubeconfig-sa YOUR_CLUSTER_NAME_kubeconfig
```

为其他类型的集群创建kubeconfig.文件

按照以下说明为然彻集群、上游Kubernetes集群和Red Hat OpenShift集群创建有限或扩展的角色kubeconconfig文件。

对于使用kubeconfig"管理的集群、您可以选择为Astra Control Service创建有限权限或扩展权限管理员角色。

如果您适用场景的环境发生以下任一情况、则此操作步骤可帮助您创建一个单独的kubeconfig:

您希望限制Astra Control对其管理的集群的权限
您使用多个环境、并且不能使用在安装期间配置的默认Asta Control kubeconfig,否则在您的环境中使用单一环境的有限角色将不起作用

开始之前

在完成操作步骤步骤之前、请确保您对要管理的集群具有以下信息：

答 "支持的版本" 已安装kubeck.
对要使用Astra Control Service添加和管理的集群的kubect访问权限

对于此操作步骤、您不需要对运行Astra控制服务的集群进行kubect访问。
要使用活动环境的集群管理员权限管理的集群的活动kubeconfig

步骤

创建服务帐户：

创建名为的服务帐户文件 astracontrol-service-account.yaml。

astracontrol-service-account.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: astracontrol-service-account
  namespace: default

应用服务帐户：

kubectl apply -f astracontrol-service-account.yaml

创建以下具有足够权限的集群角色之一、以使集群由Astra Control管理：

集群角色受限

此角色包含由Asta Control管理集群所需的最低权限：

创建 ClusterRole 文件、例如、 astra-admin-account.yaml。

astra-admin-account.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: astra-admin-account
rules:

# Get, List, Create, and Update all resources
# Necessary to backup and restore all resources in an app
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - get
  - list
  - create
  - patch

# Delete Resources
# Necessary for in-place restore and AppMirror failover
- apiGroups:
  - ""
  - apps
  - autoscaling
  - batch
  - crd.projectcalico.org
  - extensions
  - networking.k8s.io
  - policy
  - rbac.authorization.k8s.io
  - snapshot.storage.k8s.io
  - trident.netapp.io
  resources:
  - configmaps
  - cronjobs
  - daemonsets
  - deployments
  - horizontalpodautoscalers
  - ingresses
  - jobs
  - namespaces
  - networkpolicies
  - persistentvolumeclaims
  - poddisruptionbudgets
  - pods
  - podtemplates
  - replicasets
  - replicationcontrollers
  - replicationcontrollers/scale
  - rolebindings
  - roles
  - secrets
  - serviceaccounts
  - services
  - statefulsets
  - tridentmirrorrelationships
  - tridentsnapshotinfos
  - volumesnapshots
  - volumesnapshotcontents
  verbs:
  - delete

# Watch resources
# Necessary to monitor progress
- apiGroups:
  - ""
  resources:
  - pods
  - replicationcontrollers
  - replicationcontrollers/scale
  verbs:
  - watch

# Update resources
- apiGroups:
  - ""
  - build.openshift.io
  - image.openshift.io
  resources:
  - builds/details
  - replicationcontrollers
  - replicationcontrollers/scale
  - imagestreams/layers
  - imagestreamtags
  - imagetags
  verbs:
  - update

(仅适用于OpenShift集群)在末尾附加以下内容 astra-admin-account.yaml 文件：

# OpenShift security
- apiGroups:
  - security.openshift.io
  resources:
  - securitycontextconstraints
  verbs:
  - use
  - update

应用集群角色：

kubectl apply -f astra-admin-account.yaml

已扩展集群角色

此角色包含要由Asta Control管理的集群的扩展权限。如果您使用多个环境，并且无法使用在安装期间配置的默认Asta Control kubeconfig,则可以使用此角色，否则在您的环境中，只使用一个环境的有限角色将不起作用：

以下内容 ClusterRole 步骤是一个常规Kubbernetes示例。有关特定于您的环境的说明、请参见Kubennetes分发版的文档。

创建 ClusterRole 文件、例如、 astra-admin-account.yaml。

astra-admin-account.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: astra-admin-account
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
- nonResourceURLs:
  - '*'
  verbs:
  - '*'

应用集群角色：

kubectl apply -f astra-admin-account.yaml

为集群角色创建与服务帐户的集群角色绑定：

创建 ClusterRoleBinding 文件已调用 astracontrol-clusterrolebinding.yaml。

astracontrol-clusterrolebinding.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: astracontrol-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: astra-admin-account
subjects:
- kind: ServiceAccount
  name: astracontrol-service-account
  namespace: default

应用集群角色绑定：

kubectl apply -f astracontrol-clusterrolebinding.yaml

创建并应用令牌密钥：

创建名为的令牌机密文件 secret-astracontrol-service-account.yaml。

secret-astracontrol-service-account.yaml

apiVersion: v1
kind: Secret
metadata:
  name: secret-astracontrol-service-account
  namespace: default
  annotations:
    kubernetes.io/service-account.name: "astracontrol-service-account"
type: kubernetes.io/service-account-token

应用令牌密钥：

kubectl apply -f secret-astracontrol-service-account.yaml

通过将令牌密钥名称添加到、将其添加到服务帐户 secrets 数组(以下示例中的最后一行)：

kubectl edit sa astracontrol-service-account

apiVersion: v1
imagePullSecrets:
- name: astracontrol-service-account-dockercfg-48xhx
kind: ServiceAccount
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"name":"astracontrol-service-account","namespace":"default"}}
  creationTimestamp: "2023-06-14T15:25:45Z"
  name: astracontrol-service-account
  namespace: default
  resourceVersion: "2767069"
  uid: 2ce068c4-810e-4a96-ada3-49cbf9ec3f89
secrets:
- name: astracontrol-service-account-dockercfg-48xhx
- name: secret-astracontrol-service-account

列出服务帐户密码、替换 <context> 使用适用于您的安装的正确环境：
```
kubectl get serviceaccount astracontrol-service-account --context <context> --namespace default -o json
```
输出的结尾应类似于以下内容：
```
"secrets": [
{ "name": "astracontrol-service-account-dockercfg-48xhx"},
{ "name": "secret-astracontrol-service-account"}
]
```
中每个元素的索引 secrets 阵列以0开头。在上面的示例中、是的索引 astracontrol-service-account-dockercfg-48xhx 将为0、并为创建索引 secret-astracontrol-service-account 将为1。在输出中、记下服务帐户密钥的索引编号。在下一步中、您将需要此索引编号。

按如下所示生成 kubeconfig ：

创建 create-kubeconfig.sh 文件

替换 TOKEN_INDEX 在以下脚本的开头、使用正确的值。

create-kubeconfig.sh

# Update these to match your environment.
# Replace TOKEN_INDEX with the correct value
# from the output in the previous step. If you
# didn't change anything else above, don't change
# anything else here.

SERVICE_ACCOUNT_NAME=astracontrol-service-account
NAMESPACE=default
NEW_CONTEXT=astracontrol
KUBECONFIG_FILE='kubeconfig-sa'

CONTEXT=$(kubectl config current-context)

SECRET_NAME=$(kubectl get serviceaccount ${SERVICE_ACCOUNT_NAME} \
  --context ${CONTEXT} \
  --namespace ${NAMESPACE} \
  *-o jsonpath='{.secrets[TOKEN_INDEX].name}')
TOKEN_DATA=$(kubectl get secret ${SECRET_NAME} \
  --context ${CONTEXT} \
  --namespace ${NAMESPACE} \
  -o jsonpath='{.data.token}')

TOKEN=$(echo ${TOKEN_DATA} | base64 -d)

# Create dedicated kubeconfig
# Create a full copy
kubectl config view --raw > ${KUBECONFIG_FILE}.full.tmp

# Switch working context to correct context
kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp config use-context ${CONTEXT}

# Minify
kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp \
  config view --flatten --minify > ${KUBECONFIG_FILE}.tmp

# Rename context
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
  rename-context ${CONTEXT} ${NEW_CONTEXT}

# Create token user
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
  set-credentials ${CONTEXT}-${NAMESPACE}-token-user \
  --token ${TOKEN}

# Set context to use token user
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
  set-context ${NEW_CONTEXT} --user ${CONTEXT}-${NAMESPACE}-token-user

# Set context to correct namespace
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
  set-context ${NEW_CONTEXT} --namespace ${NAMESPACE}

# Flatten/minify kubeconfig
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
  view --flatten --minify > ${KUBECONFIG_FILE}

# Remove tmp
rm ${KUBECONFIG_FILE}.full.tmp
rm ${KUBECONFIG_FILE}.tmp

获取用于将其应用于 Kubernetes 集群的命令。
```
source create-kubeconfig.sh
```

(可选)将kubeconfig重命名为集群的有意义名称。
```
mv kubeconfig-sa YOUR_CLUSTER_NAME_kubeconfig
```

创建kubeconfig文件

Creating your file...

为Amazon EKS集群创建kubeconfig.文件

为AWS (ROSA)集群上的Red Hat OpenShift Service创建一个kubeconfigfile文件

为其他类型的集群创建kubeconfig.文件