在k8s集群中需要生成一些普通只读账户给平台人员使用，所以这里写了个一键脚本生成只读用户，是基于clusterrole创建的集群级别的用户，权限可以自己根据自己的需求进行修改，脚本内容如下：

#!/bin/bash

USER="suyang"
CLUSTER_IP="192.168.1.72"
CLUSTER_PORT="6443"
CA_PATH="/etc/kubernetes/pki"

if ! command -v "openssl" >/dev/null 2>&1; then
	echo "未安装openssl命令工具!"
	exit 1
fi 

echo "开始生成TLS证书..."
openssl genrsa -out ${USER}.key 2048
openssl req -new -key ${USER}.key -out ${USER}.csr -subj "/CN=${USER}"

echo "创建CSR证书文件"
openssl x509 -req -in ${USER}.csr -CA ${CA_PATH}/ca.crt -CAkey ${CA_PATH}/ca.key -CAcreateserial -out ${USER}.crt -days 365

echo "开始创建clusterrolebinding"
if ! command -v "kubectl" >/dev/null 2>&1; then
	echo "kubectl命令未找到!"
	exit 1
fi
kubectl create clusterrolebinding ${USER} --clusterrole=view --user=${USER}

CLUSTER_NAME=`kubectl config view | grep "cluster:" | tail -1 | awk -F ': ' '{print $2}'`

echo "获取证书base64..."
CER_DATA=`cat ${USER}.crt | base64 --wrap=0`
KEY_DATA=`cat ${USER}.key | base64 --wrap=0`
CA_DATA=`cat ${CA_PATH}/ca.crt | base64 --wrap=0`

echo "开始生成config管理配置文件..."
cat > ./${USER}_config <<EOF
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: ${CA_DATA}
    server: https://${CLUSTER_IP}:${CLUSTER_PORT}
  name: ${CLUSTER_NAME}
contexts:
- context:
    cluster: ${CLUSTER_NAME}
    user: ${USER}
  name: ${USER}@${CLUSTER_NAME}
current-context: ${USER}@${CLUSTER_NAME}
kind: Config
preferences: {}
users:
- name: ${USER}
  user:
    client-certificate-data: ${CER_DATA}
    client-key-data: ${KEY_DATA}
EOF