资源要求

请准备好doker环境，尽量用比较新的版本。我的docker环境如下
docker 环境： Docker version 20.10.21, build 20.10.21-0ubuntu1~18.04.3

安装kind

kind表现上就是一个二进制程序，下载对应版本并增加执行权限即可：

curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.11.1/kind-linux-amd64
chmod +x ./kind
mv ./kind /usr/bin/kind
kind version

如何通过kind新建k8s集群？

kubectl是与k8s交互的客户端命令工具，因此需要先安装此工具。

curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
kubectl version --client

使用config文件创建k8s集群

extraPortMappings：把K8s容器（相当于K8s所在的服务器）端口暴露出来，这里暴露了30000-30005，可以理解为把docker部署的k8s集群中的服务，通过docker服务将端口映射出来给到宿主机可以访问。

kind-config.yaml

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:- role: control-planeextraPortMappings:- containerPort: 30000hostPort: 30000protocol: TCP- containerPort: 30001hostPort: 30001protocol: TCP- containerPort: 30002hostPort: 30002protocol: TCP- containerPort: 30003hostPort: 30003protocol: TCP- containerPort: 30004hostPort: 30004protocol: TCP- containerPort: 30005hostPort: 30005protocol: TCP

使用以下命令来创建集群

kind create cluster --name myk8s-01 --config kind-config.yaml

To start using your cluster, you need to run the following as a regular user:mkdir -p $HOME/.kubesudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/configsudo chown $(id -u):$(id -g) $HOME/.kube/configAlternatively, if you are the root user, you can run:export KUBECONFIG=/etc/kubernetes/admin.confYou should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:https://kubernetes.io/docs/concepts/cluster-administration/addons/You can now join any number of control-plane nodes by copying certificate authorities
and service account keys on each node and then running the following as root:kubeadm join myk8s-01-control-plane:6443 --token <value withheld> \--discovery-token-ca-cert-hash sha256:fc1aad44ac2b0d95ce17a0ed081a336768da10492f8091aeaf6ebfa060a55cf0 \--control-planeThen you can join any number of worker nodes by running the following on each as root:kubeadm join myk8s-01-control-plane:6443 --token <value withheld> \--discovery-token-ca-cert-hash sha256:fc1aad44ac2b0d95ce17a0ed081a336768da10492f8091aeaf6ebfa060a55cf0✓ Starting control-plane 🕹️✓ Installing CNI 🔌✓ Installing StorageClass 💾
Set kubectl context to "kind-myk8s-01"
You can now use your cluster with:kubectl cluster-info --context kind-myk8s-01Thanks for using kind! 😊

root@raypick:/home/raypick/k8s_resource/helen# docker ps
CONTAINER ID   IMAGE                  COMMAND                  CREATED          STATUS          PORTS                                                             NAMES
6b1f30ea4d28   kindest/node:v1.21.1   "/usr/local/bin/entr…"   25 minutes ago   Up 25 minutes   0.0.0.0:30000-30005->30000-30005/tcp, 127.0.0.1:41957->6443/tcp   myk8s-01-control-plane
root@raypick:/home/raypick/k8s_resource/helen#

创建完成后正常会在宿主机的目录下生成这个文件，/etc/kubernetes/admin.conf，如果没有的话，docker cp，将容器集群中的
/etc/kubernetes/admin.conf文件拷贝出来到宿主机的/etc/kubernetes目录下即可，但是记住拷贝的话需要修改修改其中的server为127.0.0.1，默认是docker网段中的ip地址

执行以下命令，将k8s集群配置加载进环境变量中，之后即可开始后续的内容操作

export KUBECONFIG=/etc/kubernetes/admin.conf

创建资源进行测试

namespace.yaml

apiVersion: v1
kind: Namespace
metadata:name: helen

serviceaccount.yaml

apiVersion: v1
kind: ServiceAccount
metadata:name: sa-helennamespace: helen

---

role.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:name: role-helennamespace: helen
rules:
- apiGroups: [""]resources:- pods- pods/exec- pods/log- services- endpoints- configmaps- secrets- persistentvolumeclaims- serviceaccountsverbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["apps"]resources:- deployments- replicasets- statefulsets- daemonsetsverbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["batch"]resources:- jobs- cronjobsverbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

---

rolebinding.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:name: helen-sa-role-bindingnamespace: helen
subjects:
- kind: ServiceAccountname: sa-helennamespace: helen
roleRef:kind: Rolename: role-helenapiGroup: rbac.authorization.k8s.io

---

secret-helen.yaml

apiVersion: v1
kind: Secret
metadata:name: helen-secretnamespace: helen
type: Opaque
stringData:MYSQL_PASSWORD: mysql_passSFTP_PASSWORD: sftp_pass

---

nginx.yaml

apiVersion: apps/v1
kind: Deployment
metadata:name: nginx-deploymentnamespace: helen
spec:replicas: 1selector:matchLabels:app: nginxtemplate:metadata:labels:app: nginxspec:serviceAccountName: sa-helencontainers:- name: nginximage: nginxports:- containerPort: 80env:- name: MYSQL_PASSWORDvalueFrom:secretKeyRef:name: helen-secretkey: MYSQL_PASSWORD- name: SFTP_PASSWORDvalueFrom:secretKeyRef:name: helen-secretkey: SFTP_PASSWORD

---

service.yaml

apiVersion: v1
kind: Service
metadata:name: nginx-servicenamespace: helen
spec:type: NodePortselector:app: nginxports:- protocol: TCPport: 80targetPort: 80nodePort: 30000  # 你也可以不指定，由系统自动分配

上面的文件依次apply后，即可将nginx服务启动，并通过宿主机ip:30000/进行访问nginx服务。这里的192.168.56.103是我虚拟机的ip

http://192.168.56.103:30000/

使用 ServiceAccount 模拟 kubectl 操作

🔧 步骤 1：获取该 ServiceAccount 的 Token

SECRET_NAME=$(kubectl get sa sa-helen -n helen -o jsonpath='{.secrets[0].name}')kubectl get secret $SECRET_NAME -n helen -o jsonpath='{.data.token}' | base64 -d > /tmp/sa-helen.token

📜 步骤 2：获取当前集群的 CA 和 API Server 地址

# 获取 CA
kubectl get secret $SECRET_NAME -n helen -o jsonpath='{.data.ca\.crt}' | base64 -d > /tmp/ca.crt# 获取 API Server 地址
APISERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')

🧪 步骤 3：生成一个 kubeconfig 文件

cat <<EOF > /tmp/kubeconfig-sa-helen
apiVersion: v1
kind: Config
clusters:
- cluster:certificate-authority: /tmp/ca.crtserver: ${APISERVER}name: kind-cluster
contexts:
- context:cluster: kind-clusteruser: sa-helennamespace: helenname: sa-helen-context
current-context: sa-helen-context
users:
- name: sa-helenuser:token: $(cat /tmp/sa-helen.token)
EOF

✅ 步骤 4：使用这个 kubeconfig 来运行 kubectl

KUBECONFIG=/tmp/kubeconfig-sa-helen kubectl get pods
KUBECONFIG=/tmp/kubeconfig-sa-helen kubectl get secrets或者export KUBECONFIG=/tmp/kubeconfig-sa-helen

如果role-helen 中没有对某资源的权限授权，这时候命令会失败，提示 forbidden。