k8s admin用户生成token方式
作者:村长在路上
用户使用Kubernetes 1.28创建admin命名空间并部署,通过ClusterRoleBinding为jenkins用户授权集群级权限,生成并获取其token,最后检查token是否存在及生效情况
k8s admin用户生成token
k8s 版本 1.28
创建一个admin的命名空间
- admin-namespce.yaml
kind: Namespace
apiVersion: v1
metadata:
name: admin
labels:
name: admin部署进k8s kubectl apply -f admin-namespce.yaml
查看k8s namespace 的列表
kubectl get namespace
查看当前生效的token
创建一个jenkins用户 用户类型为 ClusterRoleBinding 此类型为授权给整个集群 命名空间在kube-system
- role-jenkins.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: jenkins
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
roleRef:
kind: ClusterRole
name: cluster-jenkins
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: jenkins
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
---
apiVersion: v1
kind: Secret
metadata:
name: jenkins
namespace: kube-system
annotations:
kubernetes.io/service-account.name: "jenkins"
type: kubernetes.io/service-account-token文件的最后一行为用户增加token 生成
部署用户 用户名为jenkins 授权整个集群
kubectl apply -f role-jenkins.yaml
获取集群目前已有的token 值 secret
[root@k-master token]# kubectl -n kube-system get secrets NAME TYPE DATA AGE bootstrap-token-qsesda bootstrap.kubernetes.io/token 5 45h jenkins kubernetes.io/service-account-token 3 24h
获取到jenkins 用户的token值的详细信息
kubectl -n kube-system describe secrets jenkins
获取jenkins 用户的token
kubectl -n kube-system get secrets jenkins -o go-template --template '{{index .data "token"}}' | base64 --decode查看k8s 下 jenkins用户是否有token
# kubectl describe sa jenkins -n kube-system
Name: jenkins
Namespace: kube-system
Labels: addonmanager.kubernetes.io/mode=Reconcile
kubernetes.io/cluster-service=true
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: <none>
Tokens: jenkins
Events: <none>总结
以上为个人经验,希望能给大家一个参考,也希望大家多多支持脚本之家。