如何创建调用Kubernetes的API接口的Token

gbling
148 阅读2分钟

概述

本文记录通过ServiceAccount创建Kubernetes Token并通过RBAC赋权的操作步骤

Kubernetes版本:1.20.4

RBAC权限、资源数量众多,遇到权限无法确定的情况下可以通过kubectl get --raw / | python -m json.tool查看资源可以设置的权限有哪些。

操作步骤(创建 Role)

  1. 创建ServiceAccount
# kubectl create serviceaccount jobs-user -n test

testnamespace这个空间内创建一个名为jobs-user的ServiceAccount。

ServiceAccount被创建之后默认会自动创建一个Secret前缀与ServiceAccount同名,如下:

# kubectl get secret -n test | grep jobs-user
jobs-user-token-hfkp8                             kubernetes.io/service-account-token   3      172m

实际使用的Token就是记录在这个Secret里边:

# kubectl get secret -n test jobs-user-token-hfkp8 -oyaml| grep " token:" | awk '{print $2}'
ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwxxsaDS

注意!!!token是用 base64编码的,需要解码后才能使用 echo $TOKEN | base64 --decode

  1. 创建Role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: test
  name: jobs-user
rules:
- apiGroups: ["batch"]
  resources: ["jobs"]
  verbs: ["list","update","patch","create","delete","watch","get"]

testnamespace下创建一个名为jobs-user的Role,并赋予相关资源、API、操作的权限,部署到Kubernetes上。 apiGroups: [""]表示核心接口(core)

如果是创建 ClusterRole会有一点区别(举例)

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  # "namespace" 被忽略,因为 ClusterRoles 不受名字空间限制
  # name指定角色名称
  name: eff-user-role
rules:
- apiGroups: [""]
  resources: ["pods","services","nodes","namespaces"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["apps/v1"]
  resources: ["replicasets"]
  verbs: ["get", "watch", "list"]
  1. 创建RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: jobs-user
  namespace: test
subjects:
# 你可以指定不止一个“subject(主体)”
- kind: ServiceAccount
  name: jobs-user
roleRef:
  # "roleRef" 指定与某 Role 或 ClusterRole 的绑定关系
  kind: Role        # 此字段必须是 Role 或 ClusterRole
  name: jobs-user  # 此字段必须与你要绑定的 Role 或 ClusterRole 的名称匹配
  apiGroup: rbac.authorization.k8s.io

testnamespace下创建一个名为jobs-user的RoleBinding。

创建 ClusterRoleBinding会有一点区别(举例)

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: eff-user-clusterrolebinding
subjects:
- kind: ServiceAccount
  name: eff-user      # 'name' 是区分大小写的
  namespcae: test
roleRef:
  kind: ClusterRole
  name: eff-user-role
  apiGroup: rbac.authorization.k8s.io
  1. 完成以上操作之后即可使用Curl测试是否能正常访问Kubernetes API
curl -k -H "Authorization: Bearer ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwxxsaDS" -H "Content-Type: application/json"  https://{APISERVER}:6443/apis/batch/v1/namespace/test/jobs

示例(高版本k8s创建sa的时候不会自动创建secret)

apiVersion: v1
kind: ServiceAccount
metadata:
  name: eff-coredns-configmap-user
  namespace: gray
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: eff-coredns-configmap-user-secret
  namespace: gray
  annotations:
    kubernetes.io/service-account.name: eff-coredns-configmap-user
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: taqu:coredns-configmap-manager
rules:
- apiGroups: [""]
  resources: ["services", "namespaces"]
  verbs: ["get", "watch", "list"]
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["coredns"]
  verbs: ["get", "update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: taqu:coredns-configmap-manager
subjects:
- kind: ServiceAccount
  name: eff-coredns-configmap-user      # 'name' 是区分大小写的
  namespace: gray
roleRef:
  kind: ClusterRole
  name: taqu:coredns-configmap-manager
  apiGroup: rbac.authorization.k8s.io

相关文档

kubernetes-api

kubernetes.io(k8s资源 gkv 在这边查询)

rbac

avatar
文章
阅读
粉丝