k8s如何生成一个完整的kubeconfig文件

1. kubeconfig

1.1 简介

Kubernetes 使用YAML 文件存储kubectl的集群身份验证信息。kubeconfig包含 kubectl 在运行命令时引用的上下文列表。默认情况下，该文件为 $HOME/.kube/config，也可以使用–kubeconfig参数指定kubeconfig文件

1.2 组成

一个完整的kubeconfig文件包含clusters、contexts、users、current-context以及一些元信息组成，一个kubeconfig文件可以定义多个cluster、多个context以及多个user，可以实现一个config管理多套k8s集群的目的

clusters

用来配置k8s的连接信息，可以有多个，每个cluster需要指定集群的api-server地址以及证书

contexts

用来配置k8s的连接信息，可以有多个，每个cluster需要指定集群的api-server地址以及证书

users

用来配置k8s的上下文信息，可以有多个，每个context需要指定属于哪个集群，以及使用哪个用户进行认证

current-context

指定当前kubectl使用的上下文，使用kubectl config usecontext context-name命令可以切换上下文

示例文件

apiVersion:v1clusters:-cluster:certificate-authority-data:LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM2VENDQWRHZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQ0FYRFRJME1ERXdOREF5TlRreU5Gb1lEekl4TWpNeE1qRXhNREkxT1RJMFdqQVZNUk13RVFZRApWUVFERXdwcmRXSmxjbTVsZEdWek1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCjV4ZzFLNllmN0laa0xraHNCdUx5SCs3M212WTF4SjZrUmxuMnErckpGeksyVE1zNmM2R1poZG1GR2V4TTFyNysKMndyOGRpcUlmRGxvYXBBczUvcWQxZGovS1loUGdWNVgvcW16RFpEcG1xaTNhMCsrRkdXUDNDNE5DdklvMkY2QgpnVlpMRWozdWh4dGVhSUhxNG51MEQxaUJkeFU1MXJnaG0rNElyZFdwWDZQL2U4Uyt3ZG5LeHBlRUVid2lBK1JUCnJFZXJJd1VlcS95RFg1aXNrTjZQTlJXQ1RRZStsOGVPOEtFdUt3cXlhcmYyc3YycGVJTUJkY01SZmxWMHJYaXcKSjFpNVBmKzhRMmwyUWJiYjI1VCt0MkpaSjlWeS81QkloQVFHSlAxZlB5V1JML21vOHRGYkVmNE9ZNyt5VG5yUgo4RmFwV1lGeVZhT2pYVTBpUG5HZTd3SURBUUFCbzBJd1FEQU9CZ05WSFE4QkFmOEVCQU1DQXFRd0R3WURWUjBUCkFRSC9CQVV3QXdFQi96QWRCZ05WSFE0RUZnUVVWaWRPV2dSOVo0VTZaS0JOOVdrdTkvd054SXd3RFFZSktvWkkKaHZjTkFRRUxCUUFEZ2dFQkFHUk9hOS9PczExdmMwSXYxQmw1S0NkV0dxSWp4Nk8rZDQ0MWx2V0VzV0cxYVpUMQpNZGorNkl3cUZGUStWUm9aSGdPbHdncEdyTzQ3MmpIeVI3Q0VGNkZGeXB1eXE1TnNzT1V5K3VmTWdsWDBlMGtUClBlSjJUbHBEVjlneksxdHgzWk0yRXk3alhxUjdpWnhGV1dUd3BTZFlUS09YRDZ6TXY1WWs3Y3ZHQzd1bHF0Vi8KZEY4aWpHY3lwQjFiTDNXVnN4N3BmSjlyRjA5NW5LaEJ0WnNNN3l2cnFzdGRlMlRvYW05emNYMjFZZVlWOSs2egp2S00ydWg0d2F1WGRNZ04rVUZCd3ArQWlyV0lGL29VbGxKTElNTFZza3FOb3pwbFhIclVYL2EyNlBFRTRrbFBsCmx3UFludzQzUDltQWZKcHZaMmkwdnFydmVoenJ2eXZUOHloa01JWT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=    server:https://xxx.xxx.xxx:6443name:xxx.xxx.xxx-cluster:certificate-authority-data:LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM2VENDQWRHZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQ0FYRFRJek1EZ3lNREEwTVRNek5Wb1lEekl4TWpNd056STNNRFF4TXpNMVdqQVZNUk13RVFZRApWUVFERXdwcmRXSmxjbTVsZEdWek1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCm4vTFJDN1ZGdzkxVUFhYXNKTzhEaXU0c0FjK3hqRHhCVFIrUTNjUHVOSlVCUk1BSVNUQjhMNG9PV3E4TDNvMGgKbkpGcGlTR0dFcXVaV3JGUkZBWU9oN1JGb2pxUW5IaVowQ2gzc2ZUVWxENU16aG9QZzlWOFF6MlZGa3NOMkx2MApHcEpSQ2VUTFhMWG4vMUZSVUNIQWlMdXV5UHoreXFBZW1ZSUR4dVZWdFM0RmJQYVJHMkNYQTU1T280Y3FYQkVDCmZvT3grcEhoVjA4K1FPMFBla1B4SW45NXozVmREaGZ2NmcrMmJyYm5KVW90ZEZpQ0I1Vy9ibjdZc21keTJFTHUKS0FiSE5zOHhQSkY3bGZqMUIwUGpMVXp3Y1pwZ29zNU5TNUgxWXZjUUREYngvb0FhVHNXTVVkRHZDNk9sNm13UQo1ME5COWRKMnVabFU0UXB6eVNOZGNRSURBUUFCbzBJd1FEQU9CZ05WSFE4QkFmOEVCQU1DQXFRd0R3WURWUjBUCkFRSC9CQVV3QXdFQi96QWRCZ05WSFE0RUZnUVVaZVJWWWozZXhIYmZYREorS09mYzcwclMrcFl3RFFZSktvWkkKaHZjTkFRRUxCUUFEZ2dFQkFHdVBwZ21oTGtoL0k1S0VCRG1majZwT2EvUjluMWJQdkpPMnJTSGhDUGlFbEdQLwpMZHZ6MzdNTmpWNTFTK2NVMm1JVUZTVVFXeVNpZzkyenFFOVJZNzgxdmRvSk9rcWxqdDhxQm83cUhZRUt0dEJWCmZZR0U1ZFAvSlpNSFlNcU9rSUhOYkx1YkVUNWw3cUVkSlgxS0kyVXJZbXc0dTErYWJCR2d2QUhOSDQwT1QvYmUKaVJyYkpUWW4vTW00VDlQVnFPTkJSajY1eUxaUjdNR2JQeDFzUklQWVpycUJ6NnJwMlA1QzlyYXptTmFKbDV4YwpyMjZnZ2lGbkRuM0ZBMWw2SVRkQW5HTUNIYVVMNDVyWDhLbnkySU1iZlZSMmtmRlBjL0NpQkN6U3JGZWJqbldUClZCSjNJNHh4T2gvaldpdDlrT2piWXYySzVlK3l2Zk9TQ1hXWkNEZz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=    server:https://xxx.xxx.xxx:6443name:xxx.xxx.xxxcontexts:-context:cluster:xxx.xxx.xxx    user:admin2  name:xxx.xxx.xxx-context:cluster:xxx.xxx.xxx    user:admin  name:xxx.xxx.xxxcurrent-context:xxx.xxx.xxxkind:Configpreferences:{ }users:-name:admin  user:client-certificate-data:LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN1akNDQWFJQ0NRRC92aXBtTUNUYmR6QU5CZ2txaGtpRzl3MEJBUXNGQURBVk1STXdFUVlEVlFRREV3cHIKZFdKbGNtNWxkR1Z6TUI0WERUSTBNRFF3T0RBek1EWTBOMW9YRFRJMU1EUXdPREF6TURZME4xb3dLVEVPTUF3RwpBMVVFQXd3RllXUnRhVzR4RnpBVkJnTlZCQW9NRG5ONWMzUmxiVHB0WVhOMFpYSnpNSUlCSWpBTkJna3Foa2lHCjl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF0NGp4blpSMEdjZW82K0x1ZFQ0NUlWSVlMODRiSCtCaTZudkkKY0xVNjg1ZjNhdWVGODcyd0NpWEpJQWZrRXBIZkFsRS9qdU1EaFNSY2Z4VHNqUlpNK1poMlJMclBUejdhdTROcApKaHo2NFdoeWV1T1RZWEIwb2hyemtaVU84RjRqTkFnakhNNDg1OG1OaGNTMW9lVjk3bFBZbWhRU3BQSmMyL3BQClNiaEJLWmFWU3RHdnU2NGtUaFdPQ3I5RU5IOVJTTHB4QlZja0EvaGV2WmNFVitmekd3SjhTN2ExUEpzazlyV08KaU40R2t5cnI3SmMwQlQ2OCtkSFZMS1VnS1dtS0QwWXIzUUgvaGN3MGlGRXJrZEc2Yno4NmtlSjhzZURUUUR0awpqWTk4RC8zMmtQTGFHcENrck9YY2prek5kRzhzUXoxVExXclNEZ2xoQ2drOVQ4eGVhUUlEQVFBQk1BMEdDU3FHClNJYjNEUUVCQ3dVQUE0SUJBUUNZTTFxTkVzNGRMU0dsN2dETi9rSjE2K2U1dFdnbEVWQjQxNUdJSmIxU2lhR0YKUEcrNFBaQ2pkMHpaMVdTZVE5VHRtaE02bHFET2RSYnNZUUFEQ0FVVEc5YXBVMHltUk1Ja0lyNlRIeCt1RjlYeApjdThBd3JVUWlKeGJpTkxqSDltQ1N2alBkNE9IdC9EQ1IvYitGdGFJc3JwZnMxd2thMWNKZFFmRjB2WXJtTXpZCmprcXlyOExMQmh1bmoyQlJQd1lNTjIyeGlVNndoYWxRdkorZitESzRPb2hxR3VRSW84MmJ2M1dBOFNkbWYwc1AKbG52UXhtUnZ5OFdrZmVaWGpJeHRTL0wxRVhoSDJ2RG91OGdTajh2Nnc1T3ZObXlGeFRQUGE2Q0pJaklQQjFTeApGRUFYUlZTM0MxNVdibGVralpSSTVreTBuQWhYWisrUlk1eGVleldJCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K    client-key-data:LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBdDRqeG5aUjBHY2VvNitMdWRUNDVJVklZTDg0YkgrQmk2bnZJY0xVNjg1ZjNhdWVGCjg3MndDaVhKSUFma0VwSGZBbEUvanVNRGhTUmNmeFRzalJaTStaaDJSTHJQVHo3YXU0TnBKaHo2NFdoeWV1T1QKWVhCMG9ocnprWlVPOEY0ak5BZ2pITTQ4NThtTmhjUzFvZVY5N2xQWW1oUVNwUEpjMi9wUFNiaEJLWmFWU3RHdgp1NjRrVGhXT0NyOUVOSDlSU0xweEJWY2tBL2hldlpjRVYrZnpHd0o4UzdhMVBKc2s5cldPaU40R2t5cnI3SmMwCkJUNjgrZEhWTEtVZ0tXbUtEMFlyM1FIL2hjdzBpRkVya2RHNmJ6ODZrZUo4c2VEVFFEdGtqWTk4RC8zMmtQTGEKR3BDa3JPWGNqa3pOZEc4c1F6MVRMV3JTRGdsaENnazlUOHhlYVFJREFRQUJBb0lCQUQzT2VqOXMzT1JKbnBOQgphcmhFNmd4VWp4eWFOZnc0SGxlRXMrMXd1cGVKMTZKQ3NaTnhqN1Q3SUk0TzJqbCtzakVmbDEzUkNVQnZERThuCmhybkVoc3VQRWxUMjdCVnR2MDlpWTZpWUhjeUcxZmFZYU90cGFYMmx3ZHlHNis3NlpMU0RBUUFVVytKYXQ3UVMKbUhBYXpwdlIxS0dlbk9DN1ZaWW01MGlXS2l1TW5jdGJvaXVKdzhWQU9nWlFuSTdmbmdsTnlvcDhPNzBSdFdDbgo5TG95dm5xR3pZQUlibTU1VkhhTWxrVS9MRzVUZ0lxZUkxcEFIT20zVUdsRWY4UnFtSnBZVzVZaEJDTFE1WnUrCkpVcWc2WTZKd0Ixb1pJMUZXYzZTVG5SbXNsSjA3aHNCZFN2V090WVV5UnRibi9vMEFjVjByU00wS2dPeEp5ckMKaWhab1E3a0NnWUVBN1BZTDJjeVJ0Q1V2ZVVKRUhQMXI1QlJ2ODZZTXdoMUxtcFVuZTEzWmVGdVdtaWluTnY2dwpNM3pSQWdhOHJxb0hRSjlHQXdXcDg2N2NPQ2pOSE9oeHF0ZEtqbkVXYXhyZmNEVDlhMHZ0LzlUcU9SQVh1OUFCCmtDcEMveHZ6dlowSkZhZlJlTlZKNENBRFkvNGsybmx2eGg4M1NPY1Faa0szS2U2ZFZ2Zml2Q2NDZ1lFQXhrZi8KTUZtTVozTEpqZytPSHFra2xVM3pjdi9GaXZpaklpM05aNjgvQnVhYzJ4OEdVdjBVWFp1UXZyQ0M1Z2gxYVh3OQpuS01HRTRnRUxrZWt4d3EvaUgxL3RkZ296SEhyUVFrUi9reEVVN2pZdnJReWhjeHYvTkUxR0kzcnY2UmJFRERYCjRqM1dKd2F1N3JDNEJhaFhFV2E5REtwckVGS1VtYi81aXVIZld1OENnWUIyaXppdWd1cTVab2p6YnJWSWszY3cKS1JGQW9PZHRETjdQdktKOTB4dUNYTDlnNjhtTGQ2cUtkM3pRT0xLWDVyT3VIb0FWN3ZWdzFSK1NjTWI4R1VVVQpKSlJGNGtsRzE3REVINTVQMlRKOWMvU2hDMjMwSlVGQzhBR0lRbUdUa0VZRk1XbFh1OHd6ZFpCOHE1MmdOblEyCmQxTmZBMGx1L3gxR3V2cTNrVmM2clFLQmdRQ0owRnJYVVRaY1pKVWd6MEQ1b0ppVHliVlBGZVZJblY1TmtFWTMKTGNBQjNPSGpEeUpISmk0MGpiN0NPMDhQOFlzaUFUK1ZrbDNUejNNUWM2MWN4dVN2U29Nc2NneVJaUkNkaUY5ZwpQOFF4Nk1XRmJ4dTZrWWk0MFBRMWw5Ym13YWFsanoxTnU2c1FQdjN4V3hUY29jKzZnWTBlczRoc3RPa2lJQ09pCjJ6RnlNd0tCZ0ZUUzNYTHlmVEM5cUVUUGZzV2o1elNhRkxwUGxnanNVMlloSGVuTWE3VytCSmhOdDZCYjM4S3cKa1lqMkd5cnUrMUpOSkNIdVJIOW45UFNFTVRYREdkdXZiTm9rQ1hDZm41K1I2STZ0ci85SFoyQ2kzdXBud1J0bwpkaUg0WmF4VTdpWTk4SDhldTVKSk1UQjY5MEN4ZS9NOTA5Q0pxeCs5SzhOdDgyb2srOUtMCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==-name:admin2  user:client-certificate-data:LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN1ekNDQWFNQ0NRQ09LV2Z6UWJ2VjBUQU5CZ2txaGtpRzl3MEJBUXNGQURBVk1STXdFUVlEVlFRREV3cHIKZFdKbGNtNWxkR1Z6TUI0WERUSTBNRFF3T0RBek1UY3lORm9YRFRJMU1EUXdPREF6TVRjeU5Gb3dLakVQTUEwRwpBMVVFQXd3R1lXUnRhVzR5TVJjd0ZRWURWUVFLREE1emVYTjBaVzA2YldGemRHVnljekNDQVNJd0RRWUpLb1pJCmh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBT3EwVUdaMlJMVHBTY3J3K0RyTHdjT01CTktPeUJobDRSZVYKZytISzVwVHlGNlVUM2NmNzkwditTc1o4Ky9nYkJuM1BqMUFDbVZhUUQzemk1THNQenpSc05mYWpFSG5YL3ovVwo4clR0RmJzNk9XUGRiNFlnWnVxUWtzajR3bkhWZDRlN2RBYnR3aVRqSWpObFMvNGlVV3c1RmdKYkJobVZTVWZSCkZGcTVSTE90ekJDU2RLSTFWTTdYWHV4OFU0U0J2Z3FKYXJRU1JpUStSbzlqZldlTHhnMGZjWE5BcHEwcWhlMzQKVWYvZjJMZFMwb2JVTlVYekZWMGZONnR2YWZhbUVWUlJweDZ3U3VpZHVSenM2OGZBZGo3YWlKc2FBdDhma3AwYQppb2JvdjZkbDRwc2hEcWxKV25NcW9Uc25yUU9oQ3JTVFRmZ3VGeDRpYnhRcnRMWEtUZmNDQXdFQUFUQU5CZ2txCmhraUc5dzBCQVFzRkFBT0NBUUVBMjVEMUp3ZTNRdzVmbkxXZGVnd0l3NHJEejVKaGluK01nM3E5RU1VeEp4UG8KWFRzT2xUc0pEWlFBa0xzTFZzWXNlYmtLMW4yQVp2TC9MUDFodVBIaTUzRkNyWFJITW1IQTJuMFdjaXBkeG14agpFbEVGbjZ6Y1plU3VZbGplbnA2WDNFMUtYVGR3dCtsRjMreFROVk8zNDRIUDJkdGl0b3NZRWdsWWg5RGVwUU53Cmpvb2ZJYlVGb2VhV2hmNW01WW5ZVjRFZWJJOWZmSEkrVThrcDR3VGdWSFZESmFvMDA1WHd3cXJnelhxSnVFNUEKTThUbEYzelYrTlBDWFJtTUFrdlR6UlhrTzlEZkZhbzFRa21Gc1kyS05LYnJOb29ra25oZWxQZTVVS09EdG5nNgp4SWxxYUErc0ttODdJeGk0Z3k1VmtnZW5RNWUrN1Z0NEFxSk5LNnZYQXc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==    client-key-data:LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBNnJSUVpuWkV0T2xKeXZENE9zdkJ3NHdFMG83SUdHWGhGNVdENGNybWxQSVhwUlBkCngvdjNTLzVLeG56NytCc0dmYytQVUFLWlZwQVBmT0xrdXcvUE5HdzE5cU1RZWRmL1A5Ynl0TzBWdXpvNVk5MXYKaGlCbTZwQ1N5UGpDY2RWM2g3dDBCdTNDSk9NaU0yVkwvaUpSYkRrV0Fsc0dHWlZKUjlFVVdybEVzNjNNRUpKMApvalZVenRkZTdIeFRoSUcrQ29scXRCSkdKRDVHajJOOVo0dkdEUjl4YzBDbXJTcUY3ZmhSLzkvWXQxTFNodFExClJmTVZYUjgzcTI5cDlxWVJWRkduSHJCSzZKMjVIT3pyeDhCMlB0cUlteG9DM3grU25ScUtodWkvcDJYaW15RU8KcVVsYWN5cWhPeWV0QTZFS3RKTk4rQzRYSGlKdkZDdTB0Y3BOOXdJREFRQUJBb0lCQUZLSmZLaTd1S2ZDVHBBTwpzOHpCY08rYW91dUZDTHNEd09leFRjS3V2dTNzUVFKdGZSWGg5dktEaDdwTG83UjVsSXZUM1RzdTNzdkJONkVjCmpZRjNLcy90cWdDRkViczNpV3ppNDFGYStzUnYwbFRiUDJmMHB4eWdJTzZLQko5UmlZcHpFbmVKVHpmM3BFUmMKd0IrcjQrUmlJdXBMSmxjQzE5Vm9vbmJSSm1iazhDN2t0bGc1SVhtMlhBcnZyL05OSmR4UVdmWlR6MnlvMFRoMgpIdVRUMlMrU294d0lDLzA5eFlzTjZWdWFLUGRwT0owMGpsdDhOUWdxVUZpU1lydkt5N2dnMjJKbzVqNk5Xc0JLCkNQa0NSbmdZb1pBZ1NieHBDQytYZHZZbkc3cnhHMmJ5OEZSTnVwOS9RQVk3NERCT2JSL2xCdldRQ3FvRG9nSHgKSnNBUVpnRUNnWUVBK0MwWHNJdk1FcXR0TklZYnhPWmlGc1hIYU10bWp4elN0eVFOc2M5T2RFd2Z4cmcyU3UwYQpyZjRBU2xkVlJzMVBzV01YQWFvdmZTdzFxbmpmL0NrQjRHUm11VFlEbUVMdFFCRmFCSHV5aVd0TStOancrNGl6CnoyenhRejhWcFpORmJoTHZ5RzgyMHVNRkhNUEJSZlN5S0NLd2plOXhxcGxOS3YwNkh0dnBGUGNDZ1lFQThocC8KVVVkWXVPZHNkTisrU1JKL2tTQXdWbWl6ZUkzSnFwTVkxOXV6SGVNZnBrMWs3ajg1MVVqWkVXMXVaOUlQMWgvVAp4d0gxeGdSM1p4dy9jRS9JNnpRaWovSVJqMWVCcG4yc3hVQmE3Z0xDZm1OOW5aaGtjbXEyeU94WExKVmpxZzgvClpuaE1HZ3lrdW9MaTh1ekgrRWdzVVh1KzJwNCtpS1BqVTVHZlR3RUNnWUVBNVI3MFpRamJza3pUK0k3cnFrQXMKUk92NXF2VkdUVkFGOWhEeUY3dlZxYWJ5RzB2TXpDWFU0TmZFdXQyZ0hFckdqWFYzTXhGRTRLSmxOV3A5RjlkZwpKU05zZHdlNEQrV1NGZmt2Q3o2TVdUUllEdEp5d1RhM0V3UjRSV1pEZk9iWFRjVnIzTGRZZlNBY2d5N3pDN3ZhCmt4VmJ2TjVZS1hGNC9meGxvVUhVRVljQ2dZQkc0eFZHUWlLck9TK2JaT3U5VDRwRWZ1MUlUNjNFN1pjUHQ3UTkKZDltUk5iQk5yRG1TUExiOVNUQXRseUlOaWdjVEJneW5KMTdFRlFpMUN5TlVDamhsRGNYVTZlYlVWcVhpanNlbwpsYmhLR2tyQ1lQVWwwTG9RZWtoOHVoNm9NakdWV0pPU3VFUm9HQzJmWXJWNnRYT3pzY1l3TVpCblNKQTh4K2ZHCnowdWJBUUtCZ1FET1BEdmgvVWRTSkFLR0VaNVJuclJaaEkxZEt1b2xua3NEOGlUbi9UYmhPU1hBSk1NZmllZTgKbUJ2YUpvaWVrdm9BeEt5eDlKOEExUWlYMUJhZ0JSU0VFRS9IRzkxV1IwTjNqRXVNVm1FeERncllhdDc2N0ZDTgpLNkhhYW9ETjN5OG5qQ0FMQ2NmVSt0czN6RWp5bjZnY1BZcjhydGdGaEF5QkRNbHg2MTZGMnc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

一般来说kubelet会使用一个默认的kubeconfig文件，也及时/root/.kube/config文件，如果是使用kubeadm安装的集群，其实也就是复制的/etc/kubernetes/admin.conf文件，那么如何自己生成一个kubeconfig文件呢？？
要生成一个完整的kubeconfig文件，一般包括如下几个步骤

1. 生成私钥

使用openssh生成一个2048位的私钥

openssl genrsa -outuser1.key 2048

2. 生成证书请求文件(csr)

通过私钥生成csr文件，后面通过csr文件想kubernetes请求证书
注意-subj中的CN相当于用户名，o相当于用户组
在k8s中有两类用户，一类是由Kubernetes 管理的service account，另一类是普通用户，对于普通用户k8s是没有存储用户信息的，当像k8s请求资源时，会解析证书中的用户和用户组然后通过RCBA进行鉴权
参考: https://kubernetes.io/zh-cn/docs/reference/access-authn-authz/rbac/#discovery-roles

openssl req -new-keyuser1.key -outuser1.csr -subj"/CN=user1/O=group1"

3. 申请证书

通过csr文件向k8s请求证书

openssl x509 -req-inuser1.csr \-CA/etc/kubernetes/pki/ca.crt -CAkey/etc/kubernetes/pki/ca.key -CAcreateserial\-outuser1.crt -days365

4. 添加clusters

向kubeconfig文件中配置clusters信息，可配置多个

• --server: kube-apiserver的地址
• -certificate-authority: k8s的ca文件
• --embed-certs: 将证书嵌入到kubeconfig文件中，方便客户端认证

kubectl --kubeconfig=kubeconfig.config config \set-cluster demo1 --server=https://xxx.xxx.xxx:6443 \--embed-certs --certificate-authority=/etc/kubernetes/pki/ca.crt

5. 添加user

向kubeconfig文件中配置用户信息，可配置多个

• --client-key：第一步的私钥文件
• -client-certificate: 第三步的公钥
• --embed-certs: 将证书嵌入到kubeconfig文件中，方便客户端认证

kubectl --kubeconfig=kubeconfig.config config \set-credentials user1 \--client-key=user1.key --embed-certs --client-certificate=user1.crt

6. 添加context

向kubeconfig文件中配置上下文信息，可配置多个

• --user：用户名
• --cluster: 集群名

kubectl  --kubeconfig=kubeconfig.config config \set-context ctx-demo1 --user=user1 --cluster=demo1

7. 设置current-context

设置当前使用的k8s上下文

kubectl --kubeconfig=kubeconfig.config config use-context ctx-demo1

下面是一个自动生成kubeconfig的简单脚本

#!/bin/bashwork_dir=$(cd$(dirname $0)pwd)read-p"输入用户名: "usernameread-p"输入用户组(默认system:masters): "groupif[-z"$username"];thenecho-e"\033[31m用户名不能为空\033[0m"exit-1fiif[-z"$group"];thengroup="system:masters"fiecho-e"\033[32m用户名：${ username},用户组：${ group}\033[0m"root_path=${ work_dir}/${ username}mkdir-p$root_pathprivate_key_path="${ root_path}/${ username}.key"openssl genrsa -out${ private_key_path}2048echo-e"\033[32m私钥生成成功: ${ private_key_path}\033[0m"csr_path="${ root_path}/${ username}.csr"openssl req -new-key${ private_key_path}-out$csr_path-subj"/CN=${ username}/O=${ group}">/dev/nullecho-e"\033[32m证书请求文件生成成功: ${ csr_path}\033[0m"crt_path="${ root_path}/${ username}.crt"openssl x509 -req-in${ csr_path}-CA/etc/kubernetes/pki/ca.crt -CAkey/etc/kubernetes/pki/ca.key -CAcreateserial-out${ crt_path}-days365echo-e"\033[32m证书生成成功: ${ crt_path}\033[0m"config_path="${ root_path}/${ username}.config"master_ip=`kubectl get nodes -owide--no-headers |grepcontrol-plane,master |awk-F" "'{ print $6}'`cluster_name="k8s-${ master_ip}"context_name="k8s-${ master_ip}"kubectl --kubeconfig=$config_pathconfig set-cluster $cluster_name--server=https://${ master_ip}:6443 --embed-certs --certificate-authority=/etc/kubernetes/pki/ca.crtkubectl --kubeconfig=$config_pathconfig set-credentials $username--client-key=$private_key_path--embed-certs --client-certificate=$crt_pathkubectl  --kubeconfig=$config_pathconfig set-context $context_name--user=$username--cluster=${ cluster_name}kubectl --kubeconfig=$config_pathconfig use-context $context_nameecho-e"\033[32mconfig生成成功: ${ config_path}\033[0m"

至此一个完整的kubeconfig文件就已经生成好了，但是如果只做上面的这些操作是没有任何意义的，因为在生成csr文件的时候我们使用的用户是user1,用户组是group1，如果在k8s集群中没有为user1或group1绑定角色，通过这个kubeconfig文件去访问k8s资源时会报如下错误：

这是没有为对应的用户组或者用户创建rolebind或者clusterrolebind绑定权限，这个问题如何解决，在后面的k8s RBAC中再介绍k8s RBAC权限控制

完结，撒花~~~~~