K8S 为 ServiceAccount 创建持久 token
|
Schrodingerscat
|
Kubernetes
|
268
|
0

185 字
|
3 分钟

为 ServiceAccount 创建持久 token

  1. 查看当前 ServiceAccount。

    [root@base-k8s-master-1 prometheus]# kubectl get serviceaccount -n kube-monitor
NAME         SECRETS   AGE
default      0         5d22h
prometheus   0         5d22h

  2. 写一个 secret 文件。

    apiVersion: v1
kind: Secret
metadata:
 name: prometheus-token
 namespace: kube-monitor
 annotations:
   kubernetes.io/service-account.name: prometheus
type: kubernetes.io/service-account-token

  3. 创建这个 secret。

    [root@base-k8s-master-1 prometheus]# kubectl apply -f prometheus-sa-token.yml
secret/prometheus-token created

  4. 检查 secret。

    [root@base-k8s-master-1 prometheus]# kubectl describe secrets -n kube-monitor prometheus-token
Name:         prometheus-token
Namespace:    kube-monitor
Labels:       
Annotations:  kubernetes.io/service-account.name: prometheus
             kubernetes.io/service-account.uid: 70383bfd-ba9f-40bf-b663-ba3e03ea733a

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1107 bytes
namespace:  12 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IjFidmZsd25DSy0tQzhENkJWSkFNc29qZ2tBVEU0NURfeVJTS0xLbGowZUEifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLW1vbml0b3IiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoicHJvbWV0aGV1cy10b2tlbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJwcm9tZXRoZXVzIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNzAzODNiZmQtYmE5Zi00MGJmLWI2NjMtYmEzZTAzZWE3MzNhIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtbW9uaXRvcjpwcm9tZXRoZXVzIn0.x5aO-wzsLLJPTmvf18A993RDaUFbcP5YxFefTdyHCq_l7MWtXWP14p3dCtA4e32TE3kimuBpCyPDp4pfR_pqjMUYRzzA3hkWBvGjRs7MxpzTy7p4fNM4VUOhbvswqCmCYE1HjiG2dIKp-GLiC_qIypeXVrkuC8i6AfcmKaEHlp0AOSJlsMYgo5Lh3uoSh0oSv6VkvRQlWZWl008QqbQaZMsfD-HBV7jh_N3-y2dWYVG8ZQxSAMlMflqJp8nyr4y96w1pdIi8xZhTwYB5CMdXQqqGcCgBmahwLHbDcaC9OTP2F996lDvN8DLb3W1PNQPf1e8hIoUUJxrH0gFPOwUTVg

此时 ServiceAccount 的持久化 token 创建成功。最后一行的 token 字段描述了 ServiceAccount 的持久化 token。

检查 token 是否生效

当前 prometheus ServiceAccount 已经设置好了 ClusterRoleBinding

[root@base-k8s-master-1 prometheus]# kubectl get clusterrolebindings.rbac.authorization.k8s.io -n kube-monitor prometheus
NAME         ROLE                        AGE
prometheus   ClusterRole/cluster-admin   5d22h
[root@base-k8s-master-1 prometheus]# kubectl describe clusterrolebindings.rbac.authorization.k8s.io -n kube-monitor prometheus
Name:         prometheus
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  cluster-admin
Subjects:
  Kind            Name        Namespace
  ----            ----        ---------
  ServiceAccount  prometheus  kube-monitor

已经将 Cluster-admin ClusterRole 分配给了 prometheus ServiceAccount,prometheus 具有集群管理员权限。

利用 curl 工具和上文查询到的 token 来对 apiServer 进行查询。

[root@base-k8s-master-1 prometheus]# curl -s -k -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjFidmZsd25DSy0tQzhENkJWSkFNc29qZ2tBVEU0NURfeVJTS0xLbGowZUEifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLW1vbml0b3IiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoicHJvbWV0aGV1cy10b2tlbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJwcm9tZXRoZXVzIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNzAzODNiZmQtYmE5Zi00MGJmLWI2NjMtYmEzZTAzZWE3MzNhIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtbW9uaXRvcjpwcm9tZXRoZXVzIn0.x5aO-wzsLLJPTmvf18A993RDaUFbcP5YxFefTdyHCq_l7MWtXWP14p3dCtA4e32TE3kimuBpCyPDp4pfR_pqjMUYRzzA3hkWBvGjRs7MxpzTy7p4fNM4VUOhbvswqCmCYE1HjiG2dIKp-GLiC_qIypeXVrkuC8i6AfcmKaEHlp0AOSJlsMYgo5Lh3uoSh0oSv6VkvRQlWZWl008QqbQaZMsfD-HBV7jh_N3-y2dWYVG8ZQxSAMlMflqJp8nyr4y96w1pdIi8xZhTwYB5CMdXQqqGcCgBmahwLHbDcaC9OTP2F996lDvN8DLb3W1PNQPf1e8hIoUUJxrH0gFPOwUTVg" https://192.168.50.131:6443/api/v1/namespaces/kube-monitor/pods/ | jq .items[].metadata.name
"prometheus-59948b665b-h8x9t"

可以看到能正常查询。

K8S 为 ServiceAccount 创建持久 token
https://www.linuxstudynotes.com/2025/01/30/k8s/k8s-%e4%b8%ba-serviceaccount-%e5%88%9b%e5%bb%ba%e6%8c%81%e4%b9%85-token/
Kubernetes
暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
															
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																

							
							
						

															
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇