NS: development
apiVersion: v1
kind: Namespace
metadata:
name: development
SA: devops
apiVersion: v1
kind: ServiceAccount
metadata:
name: devops
namespace: development
Role: dev-fc
development NS에 모든 권한
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: dev-fc
namespace: development
rules:
- apiGroups:
- ""
resources:
- "*"
verbs:
- "*"
RoleBinding: devops-dev-fc
devops <-> dev-fc
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: devops-dev-fc
namespace: development
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: dev-fc
subjects:
- apiGroup: ""
kind: ServiceAccount
name: devops
namespace: development
ClusterRole: view
ClusterRoleBinding: devops-view
devops <-> cluster-read
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: devops-view
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
subjects:
- apiGroup: ""
kind: ServiceAccount
name: devops
namespace: development
kubeconfig(~/.kube/config)
SA 계정 토큰 확인
kubectl get sa -n development devops
kubectl describe secret -n development devops-token-rfvwt
kubeconfig 사용자 정의
kubectl config set-credentials devops --token=XXX
kubeconfig 컨텍스트 정의
kubectl config set-context devops@cluster.local --cluster=cluster.local --user=devops --namespace=development
컨텍스트 변경
kubectl config use-context devops@cluster.local
CSR
x.509 키 생성
openssl genrsa -out kadmin.key 2048
CSR 생성
openssl req -new -key kadmin.key -out kadmin.csr -subj "/CN=kadmin"
CSR 리소스 생성
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: <NAME>
spec:
request: <BASE64 ENCODED>
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
CSR 리소스 확인
kubectl get csr
CSR 승인: 서명된 인증서 발급
kubectl certificate approve kadmin
CSR 리소스 확인
kubectl get csr
발급된 인증서 csr 리소스의 csr.status.certificate 에 있음.
인증서 저장
kubectl get csr kadmin -o jsonpath='{.status.certificate}' | base64 -d > kadmin.crt
ClusterRole: admin
ClusterRoleBinding: kadmin-admin
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kadmin-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
subjects:
- apiGroup: ""
kind: User
name: kadmin
kubeconfig
kubectl config set-credentials kadmin --client-certificate=kadmin.crt --client-key=kadmin.key --embed-certs
kubectl config set-context kadmin@cluster.local --cluster=cluster.local --user=kadmin
x.509 사용자 생성(kops): 클러스터에 모두 읽기 권한
윈도우
choco install kubernetes-cli --version=1.19.5 [--allowdowngrade]
kubectl version
리눅스(쿠버네티스 클러스터)
cp ~/.kube/config /vagrant
윈도우
c:\Users\playdata\vagrant\k8s\config ----copy---> c:\Users\.kube/config
helm repo add stable https://charts.helm.sh/stable
helm completion bash | sudo tee /etc/bash_completion.d/helm
exec bash
helm show <option>
예: mariadb 패키지
https://github.com/helm/charts/tree/master/stable/mariadb
Chart.yaml
README.md
values.yaml
/templates
values.yaml
service:
type: LoadBalancer
helm install happy-panda stable/mariadb -f values.yaml
helm install <release> <package>
helm uninstall <release>
helm upgrade -f <values> <realease> <package>
helm history <realease>
helm rollback <release>