Skip to main content
Astra Control Service
所有雲端供應商
  • Amazon Web Services
  • Google Cloud
  • Microsoft Azure
  • 所有雲端供應商
本繁體中文版使用機器翻譯,譯文僅供參考,若與英文版本牴觸,應以英文版本為準。

建立Kbeconfig檔案

貢獻者

您可以使用 kubeconfig 檔案將叢集新增至 Astra Control Service 。視您要新增的叢集類型而定、您可能需要使用特定步驟手動建立叢集的 kudeconfig 檔案。

為 Amazon EKS 叢集建立一個 kubeconfig 檔案

請依照下列指示、為 Amazon EKS 叢集建立 Kribeconfig 檔案和永久性權杖機密。在 EKS 中託管的叢集需要永久權杖密碼。

步驟
  1. 請依照 Amazon 文件中的指示來產生一個 kubeconfig 檔案:

  2. 建立服務帳戶、如下所示:

    1. 建立名為的服務帳戶檔案 astracontrol-service-account.yaml

      視需要調整服務帳戶名稱。命名空間 kube-system 為這些步驟所需。如果您在此處變更服務帳戶名稱、您應該在下列步驟中套用相同的變更。

    astracontrol-service-account.yaml

    +

    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: astra-admin-account
      namespace: kube-system
  3. 套用服務帳戶:

    kubectl apply -f astracontrol-service-account.yaml
  4. 建立 ClusterRoleBinding 檔案已呼叫 astracontrol-clusterrolebinding.yaml

    astracontrol-clusterrolebinding.yaml
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: astra-admin-binding
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cluster-admin
    subjects:
    - kind: ServiceAccount
      name: astra-admin-account
      namespace: kube-system
  5. 套用叢集角色繫結:

    kubectl apply -f astracontrol-clusterrolebinding.yaml
  6. 建立名為的服務帳戶權杖秘密檔案 astracontrol-secret.yaml

    astracontrol-secret.yaml
    apiVersion: v1
    kind: Secret
    metadata:
      annotations:
        kubernetes.io/service-account.name: astra-admin-account
      name: astra-admin-account
      namespace: kube-system
    type: kubernetes.io/service-account-token
  7. 套用權杖密碼:

    kubectl apply -f astracontrol-secret.yaml
  8. 擷取權杖密碼:

    kubectl get secret astra-admin-account -n kube-system -o jsonpath='{.data.token}' | base64 -d
  9. 更換 user AWS EKS Kubeconfig 檔案的區段與 Token 、如下列範例所示:

    user:
        token: k8s-aws-v1.aHR0cHM6Ly9zdHMudXMtd2VzdC0yLmFtYXpvbmF3cy5jb20vP0FjdGlvbj1HZXRDYWxsZXJJZGVudGl0eSZWZXJzaW9uPTIwMTEtMDYtMTUmWC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBM1JEWDdKU0haWU9LSEQ2SyUyRjIwMjMwNDAzJTJGdXMtd2VzdC0yJTJGc3RzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyMzA0MDNUMjA0MzQwWiZYLUFtei1FeHBpcmVzPTYwJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCUzQngtazhzLWF3cy1pZCZYLUFtei1TaWduYXR1cmU9YjU4ZWM0NzdiM2NkZGYxNGRhNzU4MGI2ZWQ2zY2NzI2YWIwM2UyNThjMjRhNTJjNmVhNjc4MTRlNjJkOTg2Mg

為 AWS ( ROSA )叢集上的 Red Hat OpenShift Service 建立一個 KRBeconfig 檔案

請依照下列指示、為 AWS ( ROSA )叢集上的 Red Hat OpenShift Service 建立一個 kubeconfig 檔案。

步驟
  1. 登入 ROSA 叢集。

  2. 建立服務帳戶:

    oc create sa astracontrol-service-account
  3. 新增叢集角色:

    oc adm policy add-cluster-role-to-user cluster-admin -z astracontrol-service-account
  4. 使用下列範例建立服務帳戶秘密組態檔案:

    secret-astra-sa.yaml
    apiVersion: v1
    kind: Secret
    metadata:
      name: secret-astracontrol-service-account
      annotations:
        kubernetes.io/service-account.name: "astracontrol-service-account"
    type: kubernetes.io/service-account-token
  5. 建立秘密:

    oc create -f secret-astra-sa.yaml
  6. 編輯您建立的服務帳戶、並將 Astra Control 服務帳戶密碼名稱新增至 secrets 區段:

    oc edit sa astracontrol-service-account
    apiVersion: v1
    imagePullSecrets:
    - name: astracontrol-service-account-dockercfg-dvfcd
    kind: ServiceAccount
    metadata:
      creationTimestamp: "2023-08-04T04:18:30Z"
      name: astracontrol-service-account
      namespace: default
      resourceVersion: "169770"
      uid: 965fa151-923f-4fbd-9289-30cad15998ac
    secrets:
    - name: astracontrol-service-account-dockercfg-dvfcd
    - name: secret-astracontrol-service-account ####ADD THIS ONLY####
  7. 列出取代的服務帳戶機密 <CONTEXT> 正確的安裝環境:

    kubectl get serviceaccount astracontrol-service-account --context <CONTEXT> --namespace default -o json

    輸出的結尾應類似於下列內容:

    "secrets": [
    { "name": "astracontrol-service-account-dockercfg-dvfcd"},
    { "name": "secret-astracontrol-service-account"}
    ]

    中每個元素的索引 secrets 陣列開頭為0。在上述範例中、索引為 astracontrol-service-account-dockercfg-dvfcd 將為0、索引則為 secret-astracontrol-service-account 應該是1。在輸出中、記下服務帳戶密碼的索引編號。您在下一個步驟中需要此索引編號。

  8. 產生以下的Kbeconfig:

    1. 建立 create-kubeconfig.sh 檔案:更換 TOKEN_INDEX 在下列指令碼開頭、使用正確的值。

      create-kubeconfig.sh
      # Update these to match your environment.
      # Replace TOKEN_INDEX with the correct value
      # from the output in the previous step. If you
      # didn't change anything else above, don't change
      # anything else here.
      
      SERVICE_ACCOUNT_NAME=astracontrol-service-account
      NAMESPACE=default
      NEW_CONTEXT=astracontrol
      KUBECONFIG_FILE='kubeconfig-sa'
      
      CONTEXT=$(kubectl config current-context)
      
      SECRET_NAME=$(kubectl get serviceaccount ${SERVICE_ACCOUNT_NAME} \
        --context ${CONTEXT} \
        --namespace ${NAMESPACE} \
        -o jsonpath='{.secrets[TOKEN_INDEX].name}')
      TOKEN_DATA=$(kubectl get secret ${SECRET_NAME} \
        --context ${CONTEXT} \
        --namespace ${NAMESPACE} \
        -o jsonpath='{.data.token}')
      
      TOKEN=$(echo ${TOKEN_DATA} | base64 -d)
      
      # Create dedicated kubeconfig
      # Create a full copy
      kubectl config view --raw > ${KUBECONFIG_FILE}.full.tmp
      
      # Switch working context to correct context
      kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp config use-context ${CONTEXT}
      
      # Minify
      kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp \
        config view --flatten --minify > ${KUBECONFIG_FILE}.tmp
      
      # Rename context
      kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
        rename-context ${CONTEXT} ${NEW_CONTEXT}
      
      # Create token user
      kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
        set-credentials ${CONTEXT}-${NAMESPACE}-token-user \
        --token ${TOKEN}
      
      # Set context to use token user
      kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
        set-context ${NEW_CONTEXT} --user ${CONTEXT}-${NAMESPACE}-token-user
      
      # Set context to correct namespace
      kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
        set-context ${NEW_CONTEXT} --namespace ${NAMESPACE}
      
      # Flatten/minify kubeconfig
      kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
        view --flatten --minify > ${KUBECONFIG_FILE}
      
      # Remove tmp
      rm ${KUBECONFIG_FILE}.full.tmp
      rm ${KUBECONFIG_FILE}.tmp
    2. 請輸入命令以將其套用至Kubernetes叢集。

      source create-kubeconfig.sh
  9. (選用)將Kbeconfig重新命名為有意義的叢集名稱。

    mv kubeconfig-sa YOUR_CLUSTER_NAME_kubeconfig

為其他類型的叢集建立一個 kubeconfig 檔案

請依照下列指示、為 Rancher 、上游 Kubernetes 和 Red Hat OpenShift 叢集建立有限或擴充的角色 kubeconfig 檔案。

對於使用 kubeconfig 管理的叢集、您可以選擇性地為 Astra Control Service 建立有限權限或擴充權限管理員角色。

如果下列任一情況適用於您的環境、本程序可協助您建立個別的 Kubleconfig :

  • 您想要限制其管理叢集的 Astra Control 權限

  • 您使用多個內容範圍、無法使用安裝期間設定的預設 Astra Control Kbeconfig 、或是具有單一內容的受限角色、都無法在您的環境中運作

開始之前

在完成程序步驟之前、請確定您要管理的叢集具備下列項目:

  • "支援的版本" 已安裝 kubectl 。

  • 使用 Astra Control Service 存取您想要新增及管理的叢集

    註 在本程序中、您不需要對執行 Astra Control Service 的叢集進行 kubectl 存取。
  • 使用叢集管理權限來管理作用中內容的叢集的作用中KECBEConfig

步驟
  1. 建立服務帳戶:

    1. 建立名為的服務帳戶檔案 astracontrol-service-account.yaml

      astracontrol-service-account.yaml
      apiVersion: v1
      kind: ServiceAccount
      metadata:
        name: astracontrol-service-account
        namespace: default
    2. 套用服務帳戶:

      kubectl apply -f astracontrol-service-account.yaml
  2. 為要由 Astra Control 管理的叢集建立具有足夠權限的下列叢集角色之一:

    有限的叢集角色

    此角色包含 Astra Control 管理叢集所需的最低權限:

    1. 建立 ClusterRole 例如、 astra-admin-account.yaml

      astra-admin-account.yaml
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRole
      metadata:
        name: astra-admin-account
      rules:
      
      # Get, List, Create, and Update all resources
      # Necessary to backup and restore all resources in an app
      - apiGroups:
        - '*'
        resources:
        - '*'
        verbs:
        - get
        - list
        - create
        - patch
      
      # Delete Resources
      # Necessary for in-place restore and AppMirror failover
      - apiGroups:
        - ""
        - apps
        - autoscaling
        - batch
        - crd.projectcalico.org
        - extensions
        - networking.k8s.io
        - policy
        - rbac.authorization.k8s.io
        - snapshot.storage.k8s.io
        - trident.netapp.io
        resources:
        - configmaps
        - cronjobs
        - daemonsets
        - deployments
        - horizontalpodautoscalers
        - ingresses
        - jobs
        - namespaces
        - networkpolicies
        - persistentvolumeclaims
        - poddisruptionbudgets
        - pods
        - podtemplates
        - replicasets
        - replicationcontrollers
        - replicationcontrollers/scale
        - rolebindings
        - roles
        - secrets
        - serviceaccounts
        - services
        - statefulsets
        - tridentmirrorrelationships
        - tridentsnapshotinfos
        - volumesnapshots
        - volumesnapshotcontents
        verbs:
        - delete
      
      # Watch resources
      # Necessary to monitor progress
      - apiGroups:
        - ""
        resources:
        - pods
        - replicationcontrollers
        - replicationcontrollers/scale
        verbs:
        - watch
      
      # Update resources
      - apiGroups:
        - ""
        - build.openshift.io
        - image.openshift.io
        resources:
        - builds/details
        - replicationcontrollers
        - replicationcontrollers/scale
        - imagestreams/layers
        - imagestreamtags
        - imagetags
        verbs:
        - update
    2. (僅限 OpenShift 叢集)在的結尾處附加下列項目 astra-admin-account.yaml 檔案:

      # OpenShift security
      - apiGroups:
        - security.openshift.io
        resources:
        - securitycontextconstraints
        verbs:
        - use
        - update
    3. 套用叢集角色:

      kubectl apply -f astra-admin-account.yaml
    擴充叢集角色

    此角色包含將由 Astra Control 管理之叢集的擴充權限。如果您使用多個內容範圍、且無法使用安裝期間設定的預設 Astra Control Kbeconfig 、或是具有單一內容的有限角色無法在您的環境中運作、則可以使用此角色:

    註 以下內容 ClusterRole 步驟是 Kubernetes 的一般範例。請參閱 Kubernetes 散佈文件、以取得特定於您環境的指示。
    1. 建立 ClusterRole 例如、 astra-admin-account.yaml

      astra-admin-account.yaml
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRole
      metadata:
        name: astra-admin-account
      rules:
      - apiGroups:
        - '*'
        resources:
        - '*'
        verbs:
        - '*'
      - nonResourceURLs:
        - '*'
        verbs:
        - '*'
    2. 套用叢集角色:

      kubectl apply -f astra-admin-account.yaml
  3. 建立叢集角色與服務帳戶的叢集角色繫結:

    1. 建立 ClusterRoleBinding 檔案已呼叫 astracontrol-clusterrolebinding.yaml

      astracontrol-clusterrolebinding.yaml
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        name: astracontrol-admin
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: astra-admin-account
      subjects:
      - kind: ServiceAccount
        name: astracontrol-service-account
        namespace: default
    2. 套用叢集角色繫結:

      kubectl apply -f astracontrol-clusterrolebinding.yaml
  4. 建立並套用權杖密碼:

    1. 建立一個稱為的權杖秘密檔案 secret-astracontrol-service-account.yaml

      secret-astracontrol-service-account.yaml
      apiVersion: v1
      kind: Secret
      metadata:
        name: secret-astracontrol-service-account
        namespace: default
        annotations:
          kubernetes.io/service-account.name: "astracontrol-service-account"
      type: kubernetes.io/service-account-token
    2. 套用權杖密碼:

      kubectl apply -f secret-astracontrol-service-account.yaml
  5. 將權杖密碼新增至服務帳戶、將其名稱新增至 secrets Array (以下範例中的最後一行):

    kubectl edit sa astracontrol-service-account
    apiVersion: v1
    imagePullSecrets:
    - name: astracontrol-service-account-dockercfg-48xhx
    kind: ServiceAccount
    metadata:
      annotations:
        kubectl.kubernetes.io/last-applied-configuration: |
          {"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"name":"astracontrol-service-account","namespace":"default"}}
      creationTimestamp: "2023-06-14T15:25:45Z"
      name: astracontrol-service-account
      namespace: default
      resourceVersion: "2767069"
      uid: 2ce068c4-810e-4a96-ada3-49cbf9ec3f89
    secrets:
    - name: astracontrol-service-account-dockercfg-48xhx
    - name: secret-astracontrol-service-account
  6. 列出取代的服務帳戶機密 <context> 正確的安裝環境:

    kubectl get serviceaccount astracontrol-service-account --context <context> --namespace default -o json

    輸出的結尾應類似於下列內容:

    "secrets": [
    { "name": "astracontrol-service-account-dockercfg-48xhx"},
    { "name": "secret-astracontrol-service-account"}
    ]

    中每個元素的索引 secrets 陣列開頭為0。在上述範例中、索引為 astracontrol-service-account-dockercfg-48xhx 將為0、索引則為 secret-astracontrol-service-account 應該是1。在輸出中、記下服務帳戶密碼的索引編號。您在下一個步驟中需要此索引編號。

  7. 產生以下的Kbeconfig:

    1. 建立 create-kubeconfig.sh 檔案:

    2. 更換 TOKEN_INDEX 在下列指令碼開頭、使用正確的值。

      create-kubeconfig.sh
      # Update these to match your environment.
      # Replace TOKEN_INDEX with the correct value
      # from the output in the previous step. If you
      # didn't change anything else above, don't change
      # anything else here.
      
      SERVICE_ACCOUNT_NAME=astracontrol-service-account
      NAMESPACE=default
      NEW_CONTEXT=astracontrol
      KUBECONFIG_FILE='kubeconfig-sa'
      
      CONTEXT=$(kubectl config current-context)
      
      SECRET_NAME=$(kubectl get serviceaccount ${SERVICE_ACCOUNT_NAME} \
        --context ${CONTEXT} \
        --namespace ${NAMESPACE} \
        -o jsonpath='{.secrets[TOKEN_INDEX].name}')
      TOKEN_DATA=$(kubectl get secret ${SECRET_NAME} \
        --context ${CONTEXT} \
        --namespace ${NAMESPACE} \
        -o jsonpath='{.data.token}')
      
      TOKEN=$(echo ${TOKEN_DATA} | base64 -d)
      
      # Create dedicated kubeconfig
      # Create a full copy
      kubectl config view --raw > ${KUBECONFIG_FILE}.full.tmp
      
      # Switch working context to correct context
      kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp config use-context ${CONTEXT}
      
      # Minify
      kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp \
        config view --flatten --minify > ${KUBECONFIG_FILE}.tmp
      
      # Rename context
      kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
        rename-context ${CONTEXT} ${NEW_CONTEXT}
      
      # Create token user
      kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
        set-credentials ${CONTEXT}-${NAMESPACE}-token-user \
        --token ${TOKEN}
      
      # Set context to use token user
      kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
        set-context ${NEW_CONTEXT} --user ${CONTEXT}-${NAMESPACE}-token-user
      
      # Set context to correct namespace
      kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
        set-context ${NEW_CONTEXT} --namespace ${NAMESPACE}
      
      # Flatten/minify kubeconfig
      kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
        view --flatten --minify > ${KUBECONFIG_FILE}
      
      # Remove tmp
      rm ${KUBECONFIG_FILE}.full.tmp
      rm ${KUBECONFIG_FILE}.tmp
    3. 請輸入命令以將其套用至Kubernetes叢集。

      source create-kubeconfig.sh
  8. (選用)將Kbeconfig重新命名為有意義的叢集名稱。

    mv kubeconfig-sa YOUR_CLUSTER_NAME_kubeconfig