k8s使用token访问集群apiserver
创建k8s用户
用户admin-user,namespace为admin
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: admin
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: admin
保存到user.yaml,然后kubectl apply -f user.yaml
获取secret
kubectl describe sa admin-user -n admin
Name: admin-user
Namespace: admin
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: admin-user-token-7gxwm
Tokens: admin-user-token-7gxwm
Events: <none>
获取token
kubectl get secret -n ${Namespace} ${TokenName} -o "jsonpath={.data.token}" | base64 -d
kubectl get secret -n admin admin-user-token-7gxwm -o "jsonpath={.data.token}" |base64 -d
eyJhbGciOiJSUzI1NiIsImtpZCI6InRjMEs2b2tyVUFjdHZuazNTS1VrM0s3LWFHMlVjek5NTUJnVUVSTTVHQnMifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLTdneHdtIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI2NmJiMWY2Yi1kYzFhLTQ2MTYtODNlOC1hZjc3NmFkYWE5YTgiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6YWRtaW46YWRtaW4tdXNlciJ9.mbzHv_4POj4Y3htCism85elxCpL3NRmsCPFWqMORWTXj7LalOQld87XUkka7AN7EEuh1q1QUTq13GJut1n3zrMXFpHEIgMtYbgth4RnyHkFiOq4JETSo7Xfm3ReUBaOPMYT_vGeEuD7MtX6teSu025eeO3Fdt0p3kT7auyOmSF7fJyEYc8yJTPc4HadXjhgcnujN9RellfULw857UVgTDrsq9G6vM-0st2etx6iH0Cdo9H7vRNwosaIJWiUW1l3ry5q1hSu9eJXmRbw4Qsf-JL78FzxpksQQvAkTZMs-ELLpxRMWTvVe2lKbxd0MnPuEwf0Eil1wp01gh7619iYXFw
使用token访问本地k8s的apiserver
设置token
export TOKEN=eyJhbGciOiJSUzI1NiIsImtpZCI6InRjMEs2b2tyVUFjdHZuazNTS1VrM0s3LWFHMlVjek5NTUJnVUVSTTVHQnMifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLTdneHdtIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI2NmJiMWY2Yi1kYzFhLTQ2MTYtODNlOC1hZjc3NmFkYWE5YTgiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6YWRtaW46YWRtaW4tdXNlciJ9.mbzHv_4POj4Y3htCism85elxCpL3NRmsCPFWqMORWTXj7LalOQld87XUkka7AN7EEuh1q1QUTq13GJut1n3zrMXFpHEIgMtYbgth4RnyHkFiOq4JETSo7Xfm3ReUBaOPMYT_vGeEuD7MtX6teSu025eeO3Fdt0p3kT7auyOmSF7fJyEYc8yJTPc4HadXjhgcnujN9RellfULw857UVgTDrsq9G6vM-0st2etx6iH0Cdo9H7vRNwosaIJWiUW1l3ry5q1hSu9eJXmRbw4Qsf-JL78FzxpksQQvAkTZMs-ELLpxRMWTvVe2lKbxd0MnPuEwf0Eil1wp01gh7619iYXFw
curl -k -H "Authorization: Bearer ${TOKEN}" https://127.0.0.1:6443/api/v1/namespaces/robocloud/pods --insecure
获取ca
kubectl get secrets -n ${Namespace} ${TokenName} -o "jsonpath={.data['ca\.crt']}"
kubectl get secrets -n admin admin-user-token-7gxwm -o "jsonpath={.data['ca\.crt']}"