一、创建只读账户

vim cluster-rd.yaml

apiVersion" v1
kind: ServiceAccount
metadata:
  name: cluster1-sa
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster1-rd-role
rules:
- apiGroups:
  - '*'
  resource:
  - '*'
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata: 
  name: cluster1-rd-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster1-rd-role
subjects:
- kind: ServiceAccount
  name: cluster1-rd-role
  namespace: kube-system

二、查看只读账户的token

kubectl describe secret -n kube-system cluster1-rd-sa

三、在只读机上合并kubeconfig

kubectl config set-credentials cluster1-rd-sa --token=${token} --kubeconfig=/tmp/cluster1.kubeconfig
#其中${token}为上一步骤获取的token值
kubectl config set-cluster cluster1-rd --server=${apiserver的vip地址}:6443 --insecure-skip-tls-verify=ture --kubeconfig=/tmp/cluster1.kubeconfig

kubectl config set-context cluster1-rd --cluster=cluster1-rd --user=cluster1-rd-sa --kubeconfig=/tmp/cluster1.kubeconfig

kubectl config use-context cluster1-rd --kubeconfig=/tmp/cluster1.kubeconfig

#修改KUBECONFIG环境变量
export KUBECONFIG=~/.kube/config:/tmp/cluster1.kubeconfig

#合并kubeconfig文件
kubectl config view --merge --flatten > ~/.kube/config_new
cp ~/.kube/config_new ~/.kube/config

#查看集群所有上下文
kubectl config get-contexts

#切换集群上下文
kubectl config use-context xxxx

其他集群重复此操作，这样就可以实现通过一台只读机，切换集群上下文的方式，访问各个k8s集群了。