k8s admin 用户生成token
k8s 版本 1.28
创建一个admin的命名空间
admin-namespce.yaml
kind: Namespace
apiVersion: v1
metadata:
name: admin
labels:
name: admin部署进k8s kubectl apply -f admin-namespce.yaml
查看k8s namespace 的列表
kubectl get namespace
查看当前生效的token 创建一个jenkins用户 用户类型为 ClusterRoleBinding 此类型为授权给整个集群 命名空间在kube-system
role-jenkins.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: jenkins
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
roleRef:
kind: ClusterRole
name: cluster-jenkins
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: jenkins
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
---
apiVersion: v1
kind: Secret
metadata:
name: jenkins
namespace: kube-system
annotations:
kubernetes.io/service-account.name: "jenkins"
type: kubernetes.io/service-account-token文件的最后一行为用户增加token 生成
部署用户 用户名为jenkins 授权整个集群
kubectl apply -f role-jenkins.yaml获取集群目前已有的token 值 secret
[root@k-master token]# kubectl -n kube-system get secrets
NAME TYPE DATA AGE
bootstrap-token-qsesda bootstrap.kubernetes.io/token 5 45h
jenkins kubernetes.io/service-account-token 3 24h获取到jenkins 用户的token值的详细信息
kubectl -n kube-system describe secrets jenkins
获取jenkins 用户的token
kubectl -n kube-system get secrets jenkins -o go-template --template '{{index .data "token"}}' | base64 --decode
查看k8s 下 jenkins用户是否有token
# kubectl describe sa jenkins -n kube-system
Name: jenkins
Namespace: kube-system
Labels: addonmanager.kubernetes.io/mode=Reconcile
kubernetes.io/cluster-service=true
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: <none>
Tokens: jenkins
Events: <none>