資源要求

請準備好doker環境，盡量用比較新的版本。我的docker環境如下
docker 環境： Docker version 20.10.21, build 20.10.21-0ubuntu1~18.04.3

安裝kind

kind表現上就是一個二進制程序，下載對應版本并增加執行權限即可：

curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.11.1/kind-linux-amd64
chmod +x ./kind
mv ./kind /usr/bin/kind
kind version

如何通過kind新建k8s集群？

kubectl是與k8s交互的客戶端命令工具，因此需要先安裝此工具。

curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
kubectl version --client

使用config文件創建k8s集群

extraPortMappings：把K8s容器（相當于K8s所在的服務器）端口暴露出來，這里暴露了30000-30005，可以理解為把docker部署的k8s集群中的服務，通過docker服務將端口映射出來給到宿主機可以訪問。

kind-config.yaml

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:- role: control-planeextraPortMappings:- containerPort: 30000hostPort: 30000protocol: TCP- containerPort: 30001hostPort: 30001protocol: TCP- containerPort: 30002hostPort: 30002protocol: TCP- containerPort: 30003hostPort: 30003protocol: TCP- containerPort: 30004hostPort: 30004protocol: TCP- containerPort: 30005hostPort: 30005protocol: TCP

使用以下命令來創建集群

kind create cluster --name myk8s-01 --config kind-config.yaml

To start using your cluster, you need to run the following as a regular user:mkdir -p $HOME/.kubesudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/configsudo chown $(id -u):$(id -g) $HOME/.kube/configAlternatively, if you are the root user, you can run:export KUBECONFIG=/etc/kubernetes/admin.confYou should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:https://kubernetes.io/docs/concepts/cluster-administration/addons/You can now join any number of control-plane nodes by copying certificate authorities
and service account keys on each node and then running the following as root:kubeadm join myk8s-01-control-plane:6443 --token <value withheld> \--discovery-token-ca-cert-hash sha256:fc1aad44ac2b0d95ce17a0ed081a336768da10492f8091aeaf6ebfa060a55cf0 \--control-planeThen you can join any number of worker nodes by running the following on each as root:kubeadm join myk8s-01-control-plane:6443 --token <value withheld> \--discovery-token-ca-cert-hash sha256:fc1aad44ac2b0d95ce17a0ed081a336768da10492f8091aeaf6ebfa060a55cf0? Starting control-plane 🕹?? Installing CNI 🔌? Installing StorageClass 💾
Set kubectl context to "kind-myk8s-01"
You can now use your cluster with:kubectl cluster-info --context kind-myk8s-01Thanks for using kind! 😊

root@raypick:/home/raypick/k8s_resource/helen# docker ps
CONTAINER ID   IMAGE                  COMMAND                  CREATED          STATUS          PORTS                                                             NAMES
6b1f30ea4d28   kindest/node:v1.21.1   "/usr/local/bin/entr…"   25 minutes ago   Up 25 minutes   0.0.0.0:30000-30005->30000-30005/tcp, 127.0.0.1:41957->6443/tcp   myk8s-01-control-plane
root@raypick:/home/raypick/k8s_resource/helen#

創建完成后正常會在宿主機的目錄下生成這個文件，/etc/kubernetes/admin.conf，如果沒有的話，docker cp，將容器集群中的
/etc/kubernetes/admin.conf文件拷貝出來到宿主機的/etc/kubernetes目錄下即可，但是記住拷貝的話需要修改修改其中的server為127.0.0.1，默認是docker網段中的ip地址

執行以下命令，將k8s集群配置加載進環境變量中，之后即可開始后續的內容操作

export KUBECONFIG=/etc/kubernetes/admin.conf

創建資源進行測試

namespace.yaml

apiVersion: v1
kind: Namespace
metadata:name: helen

serviceaccount.yaml

apiVersion: v1
kind: ServiceAccount
metadata:name: sa-helennamespace: helen

---

role.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:name: role-helennamespace: helen
rules:
- apiGroups: [""]resources:- pods- pods/exec- pods/log- services- endpoints- configmaps- secrets- persistentvolumeclaims- serviceaccountsverbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["apps"]resources:- deployments- replicasets- statefulsets- daemonsetsverbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["batch"]resources:- jobs- cronjobsverbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

---

rolebinding.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:name: helen-sa-role-bindingnamespace: helen
subjects:
- kind: ServiceAccountname: sa-helennamespace: helen
roleRef:kind: Rolename: role-helenapiGroup: rbac.authorization.k8s.io

---

secret-helen.yaml

apiVersion: v1
kind: Secret
metadata:name: helen-secretnamespace: helen
type: Opaque
stringData:MYSQL_PASSWORD: mysql_passSFTP_PASSWORD: sftp_pass

---

nginx.yaml

apiVersion: apps/v1
kind: Deployment
metadata:name: nginx-deploymentnamespace: helen
spec:replicas: 1selector:matchLabels:app: nginxtemplate:metadata:labels:app: nginxspec:serviceAccountName: sa-helencontainers:- name: nginximage: nginxports:- containerPort: 80env:- name: MYSQL_PASSWORDvalueFrom:secretKeyRef:name: helen-secretkey: MYSQL_PASSWORD- name: SFTP_PASSWORDvalueFrom:secretKeyRef:name: helen-secretkey: SFTP_PASSWORD

---

service.yaml

apiVersion: v1
kind: Service
metadata:name: nginx-servicenamespace: helen
spec:type: NodePortselector:app: nginxports:- protocol: TCPport: 80targetPort: 80nodePort: 30000  # 你也可以不指定，由系統自動分配

上面的文件依次apply后，即可將nginx服務啟動，并通過宿主機ip:30000/進行訪問nginx服務。這里的192.168.56.103是我虛擬機的ip

http://192.168.56.103:30000/

使用 ServiceAccount 模擬 kubectl 操作

🔧 步驟 1：獲取該 ServiceAccount 的 Token

SECRET_NAME=$(kubectl get sa sa-helen -n helen -o jsonpath='{.secrets[0].name}')kubectl get secret $SECRET_NAME -n helen -o jsonpath='{.data.token}' | base64 -d > /tmp/sa-helen.token

📜 步驟 2：獲取當前集群的 CA 和 API Server 地址

# 獲取 CA
kubectl get secret $SECRET_NAME -n helen -o jsonpath='{.data.ca\.crt}' | base64 -d > /tmp/ca.crt# 獲取 API Server 地址
APISERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')

🧪 步驟 3：生成一個 kubeconfig 文件

cat <<EOF > /tmp/kubeconfig-sa-helen
apiVersion: v1
kind: Config
clusters:
- cluster:certificate-authority: /tmp/ca.crtserver: ${APISERVER}name: kind-cluster
contexts:
- context:cluster: kind-clusteruser: sa-helennamespace: helenname: sa-helen-context
current-context: sa-helen-context
users:
- name: sa-helenuser:token: $(cat /tmp/sa-helen.token)
EOF

? 步驟 4：使用這個 kubeconfig 來運行 kubectl

KUBECONFIG=/tmp/kubeconfig-sa-helen kubectl get pods
KUBECONFIG=/tmp/kubeconfig-sa-helen kubectl get secrets或者export KUBECONFIG=/tmp/kubeconfig-sa-helen

如果role-helen 中沒有對某資源的權限授權，這時候命令會失敗，提示 forbidden。