Skip to main content

Read-only Import

If you only want to view Kubernetes cluster resources through cloudpods kubeserver service, you can create read-only RBAC, then import the kubeconfig of the related ServiceAccount to achieve this scenario.

The operation is as follows.

Use kubectl apply to create the following RBAC resources, including ServiceAccount(cloudpods-reader), ClusterRole(cloudpods-read-only), ClusterRoleBinding(cloudpods-reader-binding).

Save the following content in the readonly-res.yaml file.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: cloudpods-reader
  namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
  name: cloudpods-read-only
  namespace: default
rules:
  - apiGroups:
      - "*"
    resources: ["*"]
    verbs:
      - get
      - list
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cloudpods-reader-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cloudpods-read-only
subjects:
  - kind: ServiceAccount
    name: cloudpods-reader
    namespace: default

Create the above readonly-res.yaml content to the Kubernetes cluster to be imported.

$ kubectl apply -f readonly-res.yaml

Generate kubeconfig

The following is a script to generate kubeconfig. Save the content in the readonly-config.sh file.

#!/bin/bash

server=$(kubectl config view --minify --output jsonpath='{.clusters[*].cluster.server}')
name=$(kubectl get secrets --namespace=default -o json | jq -r '.items[] | select(.metadata.name | test("cloudpods-reader-token-")).metadata.name')
ca=$(kubectl get secret/$name --namespace=default -o jsonpath='{.data.ca\.crt}')
token=$(kubectl get secret/$name --namespace=default -o jsonpath='{.data.token}' | base64 --decode)
namespace=$(kubectl get secret/$name --namespace=default -o jsonpath='{.data.namespace}' | base64 --decode)

echo "
apiVersion: v1
kind: Config
clusters:
- name: default-cluster
  cluster:
    certificate-authority-data: ${ca}
    server: ${server}
contexts:
- name: default-context
  context:
    cluster: default-cluster
    namespace: default
    user: default-user
current-context: default-context
users:
- name: default-user
  user:
    token: ${token}
"

Execute the readonly-config.sh script and paste the output kubeconfig.

$ bash readonly-config.sh

Then import the generated kubeconfig content from the frontend. In this way, only read operations can be executed, and other write operations will be rejected by the Kubernetes cluster.

Update Existing Cluster's kubeconfig

If it is an already imported cluster, you can update the corresponding Kubernetes cluster's kubeconfig through the following command:

# Save the kubeconfig content generated by readonly-config.sh to a file
$ bash readonly-config.sh > kubeconfig-ro.conf

# First list all K8s clusters
$ climc k8s-cluster-list --scope system --limit 0
+----------+--------------------------------------+---------+--------------+----------------+---------+---------------+---------+-----------+----------+-------------+
|   Name   |                  Id                  | Status  | Cluster_Type | Cloudregion_Id | Vpc_Id  | Resource_Type | Version |   Mode    | Provider | Sync_Status |
+----------+--------------------------------------+---------+--------------+----------------+---------+---------------+---------+-----------+----------+-------------+
| t3       | 66bf3f7e-5ddd-4fef-8905-b4c380942352 | running | default      | default        | default | guest         | v1.17.0 | customize | onecloud | idle        |
| test122  | 2c136bb7-aab8-42f6-89d4-ed921278456c | running | default      | default        | default | guest         | v1.22.9 | customize | onecloud | idle        |
| lzx-test | a83fdc32-586f-4fad-82c6-51af34e2be76 | running | default      | default        | default | guest         | v1.17.0 | customize | onecloud | idle        |
+----------+--------------------------------------+---------+--------------+----------------+---------+---------------+---------+-----------+----------+-------------+
***  Total: 3 Pages: 1 Limit: 2048 Offset: 0 Page: 1  ***

# Assuming you want to update cluster test122's kubeconfig
$ climc k8s-cluster-set-kubeconfig 2c136bb7-aab8-42f6-89d4-ed921278456c ./kubeconfig-ro.conf