kubeconfig를 통해 다른서버 접근

개요

Kubernetes를 다른 서버에서 관리해야 할 수도 있고, 다른 서드파티 관리도구에서 자기 클러스터에 올라간 컨테이너가 아니라면 다른서버에서 해당 클러스터에 접근 해야 할 수도 있다.

과거 버전에서는 Authorized Bearer Token이 기본적으로 확인 할 수 있는데, 최근 버전에서는 원하면 생성 해줘야 하는 방식으로 변경 되었다.

1. k8s Master Node 한 곳에서 Token 생성

    kubectl apply -f - <<EOF
    apiVersion: v1
    kind: Secret
    metadata:
      name: default-token
      annotations:
        kubernetes.io/service-account.name: default
    type: kubernetes.io/service-account-token
    EOF
   

   ---

2. Token 확인

    kubectl describe secret default-token | grep -E '^token'

   ---

3. 접근하기 위한 SA 추가

    kubectl create clusterrolebinding default-cluster-admin --clusterrole cluster-admin --serviceaccount default:default

   ---

4. Other Server에서 KUBECONFIG 생성

    apiVersion: v1
    clusters:
    - cluster:
        certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJek1EY3hPVEE0TURBd01Wb1hEVE16TURjeE5qQTRNREF3TVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBT08vCmJhQXh3ZEJXVXZqaFBRbjVxTFh4RTZaTmdPWHlXSE8zbUR3OXdRYzRjQkMxaVoveVUrKzAxU2tBOTBSVXpuVEoKYlVGOXBVajdVblBVUEprVTYvY3g4dnBLa2VwSCtPOTJMZXgrTEU0UWNFWnlLTEl1MEREdDY0YmJsejI5NVBVZwp4THRqQml2OFJoeDFXM2dRaWRERURxdXpSMnBBd0lkbnhvMFZ1TWF1c1IvamloZkcxVWw1akYzWFpQTW5KaEt0CnZNR0s1NWVabDhlVlRNR3RCMDc1M1BoU3FBRTVWZ1JDWm96eVBPcllHRVdIV01MNlhXUzhtSmJQaGpaTW5OMDUKQ3dQMEh1TDF5eVRnZlpaaHNoYWowTDRYUi9zT1YwQWsyWUptcGZJLzVuUW9KV2JpSUJ5N0JkUEhUS2RYbFNEeApidVNPYmk2RjZWYVhYS3hMSzIwQ0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZIMHVTMlM3dWE3RVVVNzVrWXA3azVmRWRmb2pNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBS3MzbWhTNGg5TmN5SEU5Yzd3aQpBOC9qajJMRGl5c2FzcmFNRW9wSjhVOWNreklZSDBNU1JFZGl3WlhhQzc5NDBPd1dBNmltU2JpYi8ydThiSFJBCnhtcE5yWWpFdWE0MGZscmMweU9NRkpWT1dVR2pGd2RkRnlTVmRkYXhrVFZ4RGM3ZWQ2dDdvSm1KWUVHWUlJeEcKeHNLdFZHLzNoeEtwOGlOS2VpbkdXQnNBSWM5RlkyUXN3ellqcjJ5OUY3OUQxWWxOWTZ0RFdjcUFLWFZrOGQ4awp4UUdsTmpZbzI3NVVSblBKZlpOMERMSVBhZW00TEV6RzIzaGx2TjdrK1pOaWlQM3Vabzc3UVZ6b091bitncU9OCjlGRjNQdmlFdXYwRnE3ZmdKYmx6bUJyMG04dzN6cVdwT2RqQWMyK2JhTEpHWld5c0M3ODM2TUFYQlRGaTZsWWEKS2FjPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
        server: https://ea-kube-dev.test.co.kr:6443
      name: ea-dev.cluster.local
    contexts:
    - context:
        cluster: ea-dev.cluster.local
        user: system:serviceaccount:default:default
      name: ea-kube-dev
    current-context: ea-kube-dev
    kind: Config
    preferences: {}
    users:
    - name: system:serviceaccount:default:default
      user:
        token: eyJhbGciOiJSUzI1NiIsImtpZCI6Ik5RRmZPQUlqRWFvaGtkM0JCRmw4RHVIY2tpbXJDWUoyd3ZlS2ZZT3RCOWMifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImRlM2RjNzg4LWRiMmUtNGM1Zi1hMTg3LTZkMWNiNWMwMjM3ZSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.fJ0ixcu6z0LfYTb6IDFyB31CX5bBxWfroAlQWIZelEXAzedTUmjS3Y1eySU-y69513FM-gXZzW67UjgO3-K5VCedkKr2mrMEy6UyqUjnYlRpPFPkaFsJRxQjHATpiGRUNxo9ztKXx2oEX1P3pzQVJmo1ZMe8Ck7eqOWAj278pSGuwfih5dDAw54Znagq_T-v1Ag_8uPT59bUglMPIlMSgjvsYkIicg3BnG-d5lVJA_7Ofzyu2ns8LbewXyLEGWQphQMxP7qPnhX52gDRzArFJWYJ6wweZY9Tj4y8cREWlnRYD_XSg8fXf9OY8clzT5hqg95w1728xIu_VSVgiw1ySg

   ---

5. user부분에 cert 부분은 삭제하고 token을 등록 한 후 user 부분에 sa 계정을 추가한다.

6. Other Server에서 KUBECONFIG 적용