k8s使用token访问集群apiserver

创建k8s用户

用户admin-user,namespace为admin

apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: admin
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: admin

保存到user.yaml,然后kubectl apply -f user.yaml

获取secret

kubectl describe sa admin-user -n admin

Name:                admin-user
Namespace:           admin
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   admin-user-token-7gxwm
Tokens:              admin-user-token-7gxwm
Events:              <none>

获取token

kubectl get secret -n ${Namespace} ${TokenName} -o "jsonpath={.data.token}" | base64 -d
kubectl get secret -n admin admin-user-token-7gxwm -o "jsonpath={.data.token}" |base64 -d

eyJhbGciOiJSUzI1NiIsImtpZCI6InRjMEs2b2tyVUFjdHZuazNTS1VrM0s3LWFHMlVjek5NTUJnVUVSTTVHQnMifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLTdneHdtIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI2NmJiMWY2Yi1kYzFhLTQ2MTYtODNlOC1hZjc3NmFkYWE5YTgiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6YWRtaW46YWRtaW4tdXNlciJ9.mbzHv_4POj4Y3htCism85elxCpL3NRmsCPFWqMORWTXj7LalOQld87XUkka7AN7EEuh1q1QUTq13GJut1n3zrMXFpHEIgMtYbgth4RnyHkFiOq4JETSo7Xfm3ReUBaOPMYT_vGeEuD7MtX6teSu025eeO3Fdt0p3kT7auyOmSF7fJyEYc8yJTPc4HadXjhgcnujN9RellfULw857UVgTDrsq9G6vM-0st2etx6iH0Cdo9H7vRNwosaIJWiUW1l3ry5q1hSu9eJXmRbw4Qsf-JL78FzxpksQQvAkTZMs-ELLpxRMWTvVe2lKbxd0MnPuEwf0Eil1wp01gh7619iYXFw

使用token访问本地k8s的apiserver

设置token

export TOKEN=eyJhbGciOiJSUzI1NiIsImtpZCI6InRjMEs2b2tyVUFjdHZuazNTS1VrM0s3LWFHMlVjek5NTUJnVUVSTTVHQnMifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLTdneHdtIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI2NmJiMWY2Yi1kYzFhLTQ2MTYtODNlOC1hZjc3NmFkYWE5YTgiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6YWRtaW46YWRtaW4tdXNlciJ9.mbzHv_4POj4Y3htCism85elxCpL3NRmsCPFWqMORWTXj7LalOQld87XUkka7AN7EEuh1q1QUTq13GJut1n3zrMXFpHEIgMtYbgth4RnyHkFiOq4JETSo7Xfm3ReUBaOPMYT_vGeEuD7MtX6teSu025eeO3Fdt0p3kT7auyOmSF7fJyEYc8yJTPc4HadXjhgcnujN9RellfULw857UVgTDrsq9G6vM-0st2etx6iH0Cdo9H7vRNwosaIJWiUW1l3ry5q1hSu9eJXmRbw4Qsf-JL78FzxpksQQvAkTZMs-ELLpxRMWTvVe2lKbxd0MnPuEwf0Eil1wp01gh7619iYXFw

curl -k -H "Authorization: Bearer ${TOKEN}" https://127.0.0.1:6443/api/v1/namespaces/robocloud/pods --insecure

获取ca

kubectl get secrets -n ${Namespace} ${TokenName}  -o "jsonpath={.data['ca\.crt']}"
kubectl get secrets -n admin admin-user-token-7gxwm  -o "jsonpath={.data['ca\.crt']}"
posted @ 2023-07-25 19:51  umichan  阅读(397)  评论(0编辑  收藏  举报