Kubernetes: 认证、授权
API server:
subject --> action --> object
认证: token, tls, user/password
账号: UserAccount, ServiceAccount
授权: RBAC
role, rolebinding
clusterrole, clusterrolebinding
relebinding, clusterrolebinding:
subject:
user
serviceaccount
role:
role, clusterrole
object:
resource group
resource
non-resource url
action: get, list, watch, patch, delete, deleteconllection, ...
Dashboard:
1、部署
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.8.3/src/deploy/recommended/kubernetes-dashboard.yaml
2、将Service改为NodePort
kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kube-system
3、认证
认证时的账号必须为ServiceAccount: 被dashboard pod拿来由kubernetes进行认证
token:
(1) 创建ServiceAccount,根据其管理目标,使用rolebinding或clusterrolebinding绑定至合理role或clusterrole;
(2) 获取此ServiceAccount的secret, 查看secret的详细信息,其中就有token;
kubeconfig: 把ServiceAccount的token封装为kubeconfig文件
(1) 创建ServiceAccount,根据其管理目标,使用rolebinding或clusterrolebinding绑定至合理role或clusterrole;
(2) kubectl get secret | awk '/^ServiceAccount/{print $1}'
KUBE_TOKEN=$(kubectl get secret SERVCIEACCOUNT_SERRET_NAME -o jsonpath={.data.token} | base64 -d)
(3) 生成kubeconfig文件
kubectl config set-cluster --kubeconfig=/PATH/TO/SOMEFILE
kubectl config set-credentials NAME --token=$KUBE_TOKEN --kubeconfig=/PATH/TO/SOMEFILE
kubectl config set-context
kubectl config use-context
kubernetes集群的管理方式:
1、命令式: create, run, expose, delete, edit, ...
2、命令式配置文件: create -f /PATH/TO/RESOURCE_CONFIGURATION_FILE, delete -f, replace -f
3、声明式配置文件: apply -f, patch,
安装kubernetes dashboard
kubernetes dashboard官方站点:https://github.com/kubernetes/dashboard
master:
部署dashboard1.8.x版本发现pod为 CrashLoopBackOff
日志发现报错如下:
Failed to open dashboard.crt for writing: open /certs/dashboard.crt: read-only file system
查阅github上发现是因为版本问题,所以升到1.8.3解决
[root@master ~]# kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.8.3/src/deploy/recommended/kubernetes-dashboard.yaml
[root@master ~]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-78fcdf6894-bt5g6 1/1 Running 1 29d
coredns-78fcdf6894-zzbll 1/1 Running 1 29d
etcd-master.smoke.com 1/1 Running 1 29d
kube-apiserver-master.smoke.com 1/1 Running 1 29d
kube-controller-manager-master.smoke.com 1/1 Running 1 29d
kube-flannel-ds-5hjb9 1/1 Running 1 28d
kube-flannel-ds-6l2ht 1/1 Running 2 28d
kube-flannel-ds-nspfq 1/1 Running 1 28d
kube-proxy-5jppm 1/1 Running 1 28d
kube-proxy-7lg96 1/1 Running 1 29d
kube-proxy-qmrq7 1/1 Running 1 28d
kube-scheduler-master.smoke.com 1/1 Running 1 29d
kubernetes-dashboard-6948bdb78-qbfgp 1/1 Running 0 11m
[root@master ~]# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP 29d
kubernetes-dashboard ClusterIP 10.109.208.130 <none> 443/TCP 20m
[root@master ~]# kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kube-system
[root@master ~]# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP 29d
kubernetes-dashboard NodePort 10.109.208.130 <none> 443:30526/TCP 25m
通过浏览器访问https://172.20.0.66:30526
复制.kube/config到宿主机,我这里宿主机是ubuntu
smoke@smoke-GS70-2PC-Stealth:~$ scp root@172.20.0.70:/root/.kube/config ./kubernetes-admin.conf
通过选择Kubeconfig载入配置文件,点击登陆
提示:Not enough data to create auth info structure. 默认这个配置文件是没有问题的,但这个文件我们修改过
令牌认证
master:
[root@master ~]# kubectl delete -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.8.3/src/deploy/recommended/kubernetes-dashboard.yaml
[root@master ~]# cd /etc/kubernetes/pki/
[root@master pki]# (umask 077; openssl genrsa -out dashboard.key 2048)
[root@master pki]# openssl req -new -key dashboard.key -out dashboard.csr -subj "/O=smoke/CN=dashboard"
[root@master pki]# openssl x509 -req -in dashboard.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out dashboard.crt -days 365
[root@master pki]# kubectl create secret generic dashboard-cert -n kube-system --from-file=dashboard.crt=dashboard.crt --from-file=dashboard.key=dashboard.key
[root@master pki]# kubectl get secret -n kube-system
NAME TYPE DATA AGE
attachdetach-controller-token-z88md kubernetes.io/service-account-token 3 30d
bootstrap-signer-token-z9nkq kubernetes.io/service-account-token 3 30d
certificate-controller-token-ns7kl kubernetes.io/service-account-token 3 30d
clusterrole-aggregation-controller-token-xsbvk kubernetes.io/service-account-token 3 30d
coredns-token-tk58f kubernetes.io/service-account-token 3 30d
cronjob-controller-token-dxszf kubernetes.io/service-account-token 3 30d
daemon-set-controller-token-cfbhj kubernetes.io/service-account-token 3 30d
dashboard-cert Opaque 2 1m #创建的证书
default-token-rtt5p kubernetes.io/service-account-token 3 30d
deployment-controller-token-s82mz kubernetes.io/service-account-token 3 30d
disruption-controller-token-9xcg6 kubernetes.io/service-account-token 3 30d
endpoint-controller-token-gwmg4 kubernetes.io/service-account-token 3 30d
expand-controller-token-v6zgk kubernetes.io/service-account-token 3 30d
flannel-token-8vs5m kubernetes.io/service-account-token 3 29d
generic-garbage-collector-token-wd57c kubernetes.io/service-account-token 3 30d
horizontal-pod-autoscaler-token-qrwj2 kubernetes.io/service-account-token 3 30d
job-controller-token-q2m45 kubernetes.io/service-account-token 3 30d
kube-proxy-token-5t9qw kubernetes.io/service-account-token 3 30d
kubernetes-dashboard-key-holder Opaque 2 1d
namespace-controller-token-z7zxr kubernetes.io/service-account-token 3 30d
node-controller-token-446fp kubernetes.io/service-account-token 3 30d
persistent-volume-binder-token-4wz25 kubernetes.io/service-account-token 3 30d
pod-garbage-collector-token-hcs84 kubernetes.io/service-account-token 3 30d
pv-protection-controller-token-dfvzf kubernetes.io/service-account-token 3 30d
pvc-protection-controller-token-kmk8t kubernetes.io/service-account-token 3 30d
replicaset-controller-token-gqg6j kubernetes.io/service-account-token 3 30d
replication-controller-token-xf4cz kubernetes.io/service-account-token 3 30d
resourcequota-controller-token-lljf9 kubernetes.io/service-account-token 3 30d
service-account-controller-token-4h9wz kubernetes.io/service-account-token 3 30d
service-controller-token-kksfg kubernetes.io/service-account-token 3 30d
statefulset-controller-token-mzrc8 kubernetes.io/service-account-token 3 30d
token-cleaner-token-tckh8 kubernetes.io/service-account-token 3 30d
ttl-controller-token-rftw5 kubernetes.io/service-account-token 3 30d
[root@master pki]# kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.8.3/src/deploy/recommended/kubernetes-dashboard.yaml
[root@master pki]# kubectl create serviceaccount dashboard-admin -n kube-system
[root@master pki]# kubectl get sa -n kube-system
NAME SECRETS AGE
attachdetach-controller 1 30d
bootstrap-signer 1 30d
certificate-controller 1 30d
clusterrole-aggregation-controller 1 30d
coredns 1 30d
cronjob-controller 1 30d
daemon-set-controller 1 30d
dashboard-admin 1 22s #创建的serviceaccount
default 1 30d
deployment-controller 1 30d
disruption-controller 1 30d
endpoint-controller 1 30d
expand-controller 1 30d
flannel 1 29d
generic-garbage-collector 1 30d
horizontal-pod-autoscaler 1 30d
job-controller 1 30d
kube-proxy 1 30d
kubernetes-dashboard 1 1m
namespace-controller 1 30d
node-controller 1 30d
persistent-volume-binder 1 30d
pod-garbage-collector 1 30d
pv-protection-controller 1 30d
pvc-protection-controller 1 30d
replicaset-controller 1 30d
replication-controller 1 30d
resourcequota-controller 1 30d
service-account-controller 1 30d
service-controller 1 30d
statefulset-controller 1 30d
token-cleaner 1 30d
ttl-controller 1 30d
[root@master pki]# kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
[root@master pki]# kubectl get secret -n kube-system
NAME TYPE DATA AGE
attachdetach-controller-token-z88md kubernetes.io/service-account-token 3 30d
bootstrap-signer-token-z9nkq kubernetes.io/service-account-token 3 30d
certificate-controller-token-ns7kl kubernetes.io/service-account-token 3 30d
clusterrole-aggregation-controller-token-xsbvk kubernetes.io/service-account-token 3 30d
coredns-token-tk58f kubernetes.io/service-account-token 3 30d
cronjob-controller-token-dxszf kubernetes.io/service-account-token 3 30d
daemon-set-controller-token-cfbhj kubernetes.io/service-account-token 3 30d
dashboard-admin-token-j8r4n kubernetes.io/service-account-token 3 6m
dashboard-cert Opaque 2 20m
default-token-rtt5p kubernetes.io/service-account-token 3 30d
deployment-controller-token-s82mz kubernetes.io/service-account-token 3 30d
disruption-controller-token-9xcg6 kubernetes.io/service-account-token 3 30d
endpoint-controller-token-gwmg4 kubernetes.io/service-account-token 3 30d
expand-controller-token-v6zgk kubernetes.io/service-account-token 3 30d
flannel-token-8vs5m kubernetes.io/service-account-token 3 29d
generic-garbage-collector-token-wd57c kubernetes.io/service-account-token 3 30d
horizontal-pod-autoscaler-token-qrwj2 kubernetes.io/service-account-token 3 30d
job-controller-token-q2m45 kubernetes.io/service-account-token 3 30d
kube-proxy-token-5t9qw kubernetes.io/service-account-token 3 30d
kubernetes-dashboard-certs Opaque 0 7m
kubernetes-dashboard-key-holder Opaque 2 1d
kubernetes-dashboard-token-ct2sg kubernetes.io/service-account-token 3 7m
namespace-controller-token-z7zxr kubernetes.io/service-account-token 3 30d
node-controller-token-446fp kubernetes.io/service-account-token 3 30d
persistent-volume-binder-token-4wz25 kubernetes.io/service-account-token 3 30d
pod-garbage-collector-token-hcs84 kubernetes.io/service-account-token 3 30d
pv-protection-controller-token-dfvzf kubernetes.io/service-account-token 3 30d
pvc-protection-controller-token-kmk8t kubernetes.io/service-account-token 3 30d
replicaset-controller-token-gqg6j kubernetes.io/service-account-token 3 30d
replication-controller-token-xf4cz kubernetes.io/service-account-token 3 30d
resourcequota-controller-token-lljf9 kubernetes.io/service-account-token 3 30d
service-account-controller-token-4h9wz kubernetes.io/service-account-token 3 30d
service-controller-token-kksfg kubernetes.io/service-account-token 3 30d
statefulset-controller-token-mzrc8 kubernetes.io/service-account-token 3 30d
token-cleaner-token-tckh8 kubernetes.io/service-account-token 3 30d
ttl-controller-token-rftw5 kubernetes.io/service-account-token 3 30d
[root@master pki]# kubectl describe secret dashboard-admin-token-j8r4n -n kube-system
Name: dashboard-admin-token-j8r4n
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name=dashboard-admin
kubernetes.io/service-account.uid=24a13811-c766-11ea-bd2b-000c29e18a5b
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0
Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tajhyNG4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiM
jRhMTM4MTEtYzc2Ni0xMWVhLWJkMmItMDAwYzI5ZTE4YTViIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.YGm0dJFxwIMMVi4diNCYhnt8XWGH73FOiI6jEfY79K20QrlGvxUDbgVgfnR8iGuX5HjmDk0Gn3l9R7gX1Z4-L
_1sxElBZLghuAStaVvIFjgIgfmukxMhsLI5K0kGXly3GHOAklPPxhE9vmv8kbFXghx4TrX6PfZTw59SsLrRUF8MFUf0UDYkZbJF7lVWKqzSH2PovBzmnfp8lHOxPaYIgvf-2_3B8ij26BY1pHAKm6-slOVM6BX1tZn2yoA6xVUOvQLCefyeZ8utOJCtGrsuO7xqMoVVUS2Ndy2J4Qd0jI
BUBnRh7Wk5NWsTJqr69RU1iO54VQHetxS-Wth9FZaBOQ
[root@master pki]# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP 30d
kubernetes-dashboard ClusterIP 10.96.159.129 <none> 443/TCP 14m
[root@master pki]# kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kube-system
[root@master pki]# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP 30d
kubernetes-dashboard NodePort 10.96.159.129 <none> 443:31762/TCP 18m
通过浏览器访问https://172.20.0.66:31762,使用查到的dashboard-admin-token-j8r4n的令牌登陆
登陆成功
配置kubeconfig认证
master:
[root@master pki]# kubectl create serviceaccount def-ns-admin -n default
[root@master pki]# kubectl create rolebinding def-ns-admin --clusterrole=admin --serviceaccount=default:def-ns-admin
[root@master pki]# kubectl get secret
NAME TYPE DATA AGE
admin-token-zz4lt kubernetes.io/service-account-token 3 9d
def-ns-admin-token-qlbc4 kubernetes.io/service-account-token 3 6m
default-token-jrx89 kubernetes.io/service-account-token 3 30d
mysql-root-password Opaque 1 15d
tomcat-ingress-secret kubernetes.io/tls 2 23d
[root@master pki]# kubectl describe secret def-ns-admin-token-qlbc4
Name: def-ns-admin-token-qlbc4
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name=def-ns-admin
kubernetes.io/service-account.uid=4487a19c-c76a-11ea-bd2b-000c29e18a5b
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 7 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFt
ZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1xbGJjNCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NDg3YTE5Yy1jN
zZhLTExZWEtYmQyYi0wMDBjMjllMThhNWIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.JdT5sDVTF-2ciEPxPRZMWsd4EOocPnnH6bwxO-mUi-aUjDSl3DV2EZ_vJj_mG9j_M1jyNq8Bv2gZo9ZMkOHFFdCMjsEXEIkPxYISV7V2Kmn
_guFnp_JVw-51JOU9UiMfdvFu1Cm43LkywQWogwlOerp1A9J3BInxPqP91_ji71IBX4h5oTZ4Y08bbl2gjL97CtWJzUHBQTRBdAI5-OkK950CaSXu5HLIVnh9-9P_1vN17wf8TBBLMMxzWxnn8_t3yZXlNGhJ3RZWs8slywaFtiNgljDw4CL68XHMnUmrPNNmuQXKWrEmHATf2WkiDmVi
2wHCZFP9MF73ML5D7sOCzw
通过浏览器访问https://172.20.0.66:31762,使用查到的def-ns-admin-token-qlbc4的令牌登陆
登陆成功,只能管理default名称空间
master:
[root@master pki]# kubectl config set-cluster kuberneetes --certificate-authority=ca.crt --server="https://172.20.0.70:6443" --embed-certs=true --kubeconfig=/root/def-ns-admin.conf
[root@master pki]# kubectl config view --kubeconfig=/root/def-ns-admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://172.20.0.70:6443
name: kuberneetes
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []
[root@master pki]# kubectl config set-credentials --help
[root@master pki]# kubectl get secret
NAME TYPE DATA AGE
admin-token-zz4lt kubernetes.io/service-account-token 3 9d
def-ns-admin-token-qlbc4 kubernetes.io/service-account-token 3 23h
default-token-jrx89 kubernetes.io/service-account-token 3 31d
mysql-root-password Opaque 1 16d
tomcat-ingress-secret kubernetes.io/tls 2 24d
[root@master pki]# kubectl describe secret def-ns-admin-token-qlbc4
Name: def-ns-admin-token-qlbc4
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name=def-ns-admin
kubernetes.io/service-account.uid=4487a19c-c76a-11ea-bd2b-000c29e18a5b
Type: kubernetes.io/service-account-token
Data
====
namespace: 7 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQub
mFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1xbGJjNCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NDg3YTE
5Yy1jNzZhLTExZWEtYmQyYi0wMDBjMjllMThhNWIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.JdT5sDVTF-2ciEPxPRZMWsd4EOocPnnH6bwxO-mUi-aUjDSl3DV2EZ_vJj_mG9j_M1jyNq8Bv2gZo9ZMkOHFFdCMjsEXEIkPxY
ISV7V2Kmn_guFnp_JVw-51JOU9UiMfdvFu1Cm43LkywQWogwlOerp1A9J3BInxPqP91_ji71IBX4h5oTZ4Y08bbl2gjL97CtWJzUHBQTRBdAI5-OkK950CaSXu5HLIVnh9-9P_1vN17wf8TBBLMMxzWxnn8_t3yZXlNGhJ3RZWs8slywaFtiNgljDw4CL68XHMnUmrPNNmuQXKWrEm
HATf2WkiDmVi2wHCZFP9MF73ML5D7sOCzw
ca.crt: 1025 bytes
OkK950CaSXu5HLIVnh9-9P_1vN17wf8TBBLMMxzWxnn8_t3yZXlNGhJ3RZWs8slywaFtiNgljDw4CL68XHMnUmrPNNmuQXKWrEmHATf2WkiDmVi2wHCZFP9MF73ML5D7sOCzw
[root@master pki]# kubectl get secret def-ns-admin-token-qlbc4 -o json
{
"apiVersion": "v1",
"data": {
"ca.crt": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01EWXhOakV5TkRrMU0xb1hEVE13TURZeE5ERXlORGsxTTF
vd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTFJ3CjJTYzk0UzR4dnhxem1DQUZ6UXJqZGRQbU9LaXFLUHRmSkp0eTZSeEQwTXhLUFlMOGFUTXFqSnFLcks5VGxVaGkKOXE2dUsvNXBKSHpua
05TK0UyV1B4Ylc2TTZrSUdhalVGNlZPYkNnYUdOc1VLT1VuRmFDM2RobFM3ZDF0c2Fidwo3d0ZJYldHUldaY1dLcEdLKzBtaGxxU2VyQWFWRXdwZ1VpYzY2VG5xMWZya2dwakZ5MDVjcDU5NnRTYW5udURVClB4cG0rU2tYMUVhdjJrUndlVUY2ekVYaGhFWDBIRW5RZG5BZk9yZFo
yVVl2U2FCY3dCUWU1WkM4OVdiRE5MZFIKc1ZoRTZLamhGdFJ5QWVmTENiSGhqMU1LWnBLOUdTY1UybERwUXl0KzFINEliMWpPRnNyeWFMWDhkTHdFRkhRaAo3Mmh4R0Vnd0wrYVhCS3h3cTRVQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93U
UZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJd3B5K1FSZDVYK3l4U0pCM2huT3N3SUcwaEoKY0E3SlY3cUZ1Tnd6bzNTWmZlWi9USDhJZjVqemVrY1ZDbWpaREtEc3ZYWWovMVNhUTJGamxBV1VPK01SU3RvRQoyQVB5WHZRS0ErMElrTG13T3B3SEVhdTRvSUUvNUZ
qWU1HbEIxeVV0NFhzUkpUUncvR0xmYndZUGM2WkgrMWdUCno0S2JpWXZJMmJaTDlGQ3RHVy83K0hMQURpWmtUaVVtOFBlS0VCK1pOSUhERW5QaE9zN2U2cDZadFVTcENsMmcKSk1jRXp6UkZMelRtNjNmRzAvR05Vc2d2VUpuNkthRUJZdnhKVGFTdmI5VURzZjd4S0VnejhrR3pTT
FZ5SjhSRwpISUk4V3lzc3lYTXNTbDRXWVBBY3JleXFrU0VNYzk5OUlsU2hUbmg1OFp5QlNvVEJwdzB6cFRxUVJPYz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=",
"namespace": "ZGVmYXVsdA==",
"token": "ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1Z6TDNObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSmtaV1poZFd4
MElpd2lhM1ZpWlhKdVpYUmxjeTVwYnk5elpYSjJhV05sWVdOamIzVnVkQzl6WldOeVpYUXVibUZ0WlNJNkltUmxaaTF1Y3kxaFpHMXBiaTEwYjJ0bGJpMXhiR0pqTkNJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZ5ZG1salpTMWhZMk52ZFc1ME
xtNWhiV1VpT2lKa1pXWXRibk10WVdSdGFXNGlMQ0pyZFdKbGNtNWxkR1Z6TG1sdkwzTmxjblpwWTJWaFkyTnZkVzUwTDNObGNuWnBZMlV0WVdOamIzVnVkQzUxYVdRaU9pSTBORGczWVRFNVl5MWpOelpoTFRFeFpXRXRZbVF5WWkwd01EQmpNamxsTVRoaE5XSWlMQ0p6ZFdJaU9p
SnplWE4wWlcwNmMyVnlkbWxqWldGalkyOTFiblE2WkdWbVlYVnNkRHBrWldZdGJuTXRZV1J0YVc0aWZRLkpkVDVzRFZURi0yY2lFUHhQUlpNV3NkNEVPb2NQbm5INmJ3eE8tbVVpLWFVakRTbDNEVjJFWl92SmpfbUc5al9NMWp5TnE4QnYyZ1pvOVpNa09IRkZkQ01qc0VYRUlrUH
hZSVNWN1YyS21uX2d1Rm5wX0pWdy01MUpPVTlVaU1mZHZGdTFDbTQzTGt5d1FXb2d3bE9lcnAxQTlKM0JJbnhQcVA5MV9qaTcxSUJYNGg1b1RaNFkwOGJibDJnakw5N0N0V0p6VUhCUVRSQmRBSTUtT2tLOTUwQ2FTWHU1SExJVm5oOS05UF8xdk4xN3dmOFRCQkxNTXh6V3hubjhf
dDN5WlhsTkdoSjNSWldzOHNseXdhRnRpTmdsakR3NENMNjhYSE1uVW1yUE5ObXVRWEtXckVtSEFUZjJXa2lEbVZpMndIQ1pGUDlNRjczTUw1RDdzT0N6dw=="
},
"kind": "Secret",
"metadata": {
"annotations": {
"kubernetes.io/service-account.name": "def-ns-admin",
"kubernetes.io/service-account.uid": "4487a19c-c76a-11ea-bd2b-000c29e18a5b"
},
"creationTimestamp": "2020-07-16T13:43:01Z",
"name": "def-ns-admin-token-qlbc4",
"namespace": "default",
"resourceVersion": "283676",
"selfLink": "/api/v1/namespaces/default/secrets/def-ns-admin-token-qlbc4",
"uid": "448975ae-c76a-11ea-bd2b-000c29e18a5b"
},
"type": "kubernetes.io/service-account-token"
}
[root@master pki]# kubectl get secret def-ns-admin-token-qlbc4 -o jsonpath={.data.token}
ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1Z6TDNObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSmtaV1poZFd4MElpd2lhM1ZpWlhKdV
pYUmxjeTVwYnk5elpYSjJhV05sWVdOamIzVnVkQzl6WldOeVpYUXVibUZ0WlNJNkltUmxaaTF1Y3kxaFpHMXBiaTEwYjJ0bGJpMXhiR0pqTkNJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZ5ZG1salpTMWhZMk52ZFc1MExtNWhiV1VpT2lKa1pX
WXRibk10WVdSdGFXNGlMQ0pyZFdKbGNtNWxkR1Z6TG1sdkwzTmxjblpwWTJWaFkyTnZkVzUwTDNObGNuWnBZMlV0WVdOamIzVnVkQzUxYVdRaU9pSTBORGczWVRFNVl5MWpOelpoTFRFeFpXRXRZbVF5WWkwd01EQmpNamxsTVRoaE5XSWlMQ0p6ZFdJaU9pSnplWE4wWlcwNmMyVn
lkbWxqWldGalkyOTFiblE2WkdWbVlYVnNkRHBrWldZdGJuTXRZV1J0YVc0aWZRLkpkVDVzRFZURi0yY2lFUHhQUlpNV3NkNEVPb2NQbm5INmJ3eE8tbVVpLWFVakRTbDNEVjJFWl92SmpfbUc5al9NMWp5TnE4QnYyZ1pvOVpNa09IRkZkQ01qc0VYRUlrUHhZSVNWN1YyS21uX2d1
Rm5wX0pWdy01MUpPVTlVaU1mZHZGdTFDbTQzTGt5d1FXb2d3bE9lcnAxQTlKM0JJbnhQcVA5MV9qaTcxSUJYNGg1b1RaNFkwOGJibDJnakw5N0N0V0p6VUhCUVRSQmRBSTUtT2tLOTUwQ2FTWHU1SExJVm5oOS05UF8xdk4xN3dmOFRCQkxNTXh6V3hubjhfdDN5WlhsTkdoSjNSWl
dzOHNseXdhRnRpTmdsakR3NENMNjhYSE1uVW1yUE5ObXVRWEtXckVtSEFUZjJXa2lEbVZpMndIQ1pGUDlNRjczTUw1RDdzT0N6dw==[root@master pki]#
[root@master pki]# kubectl get secret def-ns-admin-token-qlbc4 -o jsonpath={.data.token} | base64 -d
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZ
i1ucy1hZG1pbi10b2tlbi1xbGJjNCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NDg3YTE5Yy1jNzZhLTE
xZWEtYmQyYi0wMDBjMjllMThhNWIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.JdT5sDVTF-2ciEPxPRZMWsd4EOocPnnH6bwxO-mUi-aUjDSl3DV2EZ_vJj_mG9j_M1jyNq8Bv2gZo9ZMkOHFFdCMjsEXEIkPxYISV7V2Kmn_gu
Fnp_JVw-51JOU9UiMfdvFu1Cm43LkywQWogwlOerp1A9J3BInxPqP91_ji71IBX4h5oTZ4Y08bbl2gjL97CtWJzUHBQTRBdAI5-OkK950CaSXu5HLIVnh9-9P_1vN17wf8TBBLMMxzWxnn8_t3yZXlNGhJ3RZWs8slywaFtiNgljDw4CL68XHMnUmrPNNmuQXKWrEmHATf2WkiDmVi
2wHCZFP9MF73ML5D7sOCzw[root@master pki]#
[root@master pki]# DEF_NS_ADMIN_TOKEN=$(kubectl get secret def-ns-admin-token-qlbc4 -o jsonpath={.data.token} | base64 -d)
[root@master pki]# kubectl config set-credentials def-ns-admin --token=$DEF_NS_ADMIN_TOKEN --kubeconfig=/root/def-ns-admin.conf
[root@master pki]# kubectl config view --kubeconfig=/root/def-ns-admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://172.20.0.70:6443
name: kuberneetes
contexts: []
current-context: ""
kind: Config
preferences: {}
users:
- name: def-ns-admin
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmF
tZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1xbGJjNCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NDg3YTE5Yy
1jNzZhLTExZWEtYmQyYi0wMDBjMjllMThhNWIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.JdT5sDVTF-2ciEPxPRZMWsd4EOocPnnH6bwxO-mUi-aUjDSl3DV2EZ_vJj_mG9j_M1jyNq8Bv2gZo9ZMkOHFFdCMjsEXEIkPxYISV7
V2Kmn_guFnp_JVw-51JOU9UiMfdvFu1Cm43LkywQWogwlOerp1A9J3BInxPqP91_ji71IBX4h5oTZ4Y08bbl2gjL97CtWJzUHBQTRBdAI5-OkK950CaSXu5HLIVnh9-9P_1vN17wf8TBBLMMxzWxnn8_t3yZXlNGhJ3RZWs8slywaFtiNgljDw4CL68XHMnUmrPNNmuQXKWrEmHATf2
WkiDmVi2wHCZFP9MF73ML5D7sOCzw
[root@master pki]# kubectl config set-context def-ns-admin@kubernetes --cluster=kubernetes --user=def-ns-admin --kubeconfig=/root/def-ns-admin.conf
[root@master pki]# kubectl config view --kubeconfig /root/def-ns-admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://172.20.0.70:6443
name: kuberneetes
contexts:
- context:
cluster: kubernetes
user: def-ns-admin
name: def-ns-admin@kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: def-ns-admin
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmF
tZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1xbGJjNCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NDg3YTE5Yy
1jNzZhLTExZWEtYmQyYi0wMDBjMjllMThhNWIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.JdT5sDVTF-2ciEPxPRZMWsd4EOocPnnH6bwxO-mUi-aUjDSl3DV2EZ_vJj_mG9j_M1jyNq8Bv2gZo9ZMkOHFFdCMjsEXEIkPxYISV7
V2Kmn_guFnp_JVw-51JOU9UiMfdvFu1Cm43LkywQWogwlOerp1A9J3BInxPqP91_ji71IBX4h5oTZ4Y08bbl2gjL97CtWJzUHBQTRBdAI5-OkK950CaSXu5HLIVnh9-9P_1vN17wf8TBBLMMxzWxnn8_t3yZXlNGhJ3RZWs8slywaFtiNgljDw4CL68XHMnUmrPNNmuQXKWrEmHATf2
WkiDmVi2wHCZFP9MF73ML5D7sOCzw
[root@master pki]# kubectl config use-context def-ns-admin@kubernetes --kubeconfig=/root/def-ns-admin.conf
[root@master pki]# kubectl config view --kubeconfig=/root/def-ns-admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://172.20.0.70:6443
name: kuberneetes
contexts:
- context:
cluster: kubernetes
user: def-ns-admin
name: def-ns-admin@kubernetes
current-context: def-ns-admin@kubernetes
kind: Config
preferences: {}
users:
- name: def-ns-admin
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFt
ZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1xbGJjNCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NDg3YTE5Yy1j
NzZhLTExZWEtYmQyYi0wMDBjMjllMThhNWIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.JdT5sDVTF-2ciEPxPRZMWsd4EOocPnnH6bwxO-mUi-aUjDSl3DV2EZ_vJj_mG9j_M1jyNq8Bv2gZo9ZMkOHFFdCMjsEXEIkPxYISV7V2K
mn_guFnp_JVw-51JOU9UiMfdvFu1Cm43LkywQWogwlOerp1A9J3BInxPqP91_ji71IBX4h5oTZ4Y08bbl2gjL97CtWJzUHBQTRBdAI5-OkK950CaSXu5HLIVnh9-9P_1vN17wf8TBBLMMxzWxnn8_t3yZXlNGhJ3RZWs8slywaFtiNgljDw4CL68XHMnUmrPNNmuQXKWrEmHATf2WkiD
mVi2wHCZFP9MF73ML5D7sOCzw
复制.kube/config到宿主机,我这里宿主机是ubuntu
smoke@smoke-GS70-2PC-Stealth:~$ scp root@172.20.0.70:/root/def-ns-admin.conf ./
通过选择Kubeconfig载入配置文件,点击登陆
登陆成功,只能管理default名称空间
master:
[root@master pki]# kubectl get secret
NAME TYPE DATA AGE
admin-token-zz4lt kubernetes.io/service-account-token 3 10d
def-ns-admin-token-qlbc4 kubernetes.io/service-account-token 3 1d
default-token-jrx89 kubernetes.io/service-account-token 3 31d
mysql-root-password Opaque 1 16d
tomcat-ingress-secret kubernetes.io/tls 2 24d
[root@master pki]# kubectl get secret | awk '/^def-ns-admin/{print $1}'
def-ns-admin-token-qlbc4
浙公网安备 33010602011771号