网站报价表格,网站怎么做内容,常州地区网页制作公司,南京华夏商务网做网站怎么样需求 创建一个基于sa的token的kubeconfig文件#xff0c;并用这个文件来访问集群。
具体创建sa 和sa的token请参考文章: 【k8s】给ServiceAccount 创建关联的 Secrets-CSDN博客
创建sa apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:namespace: jtkjdevnam…需求 创建一个基于sa的token的kubeconfig文件并用这个文件来访问集群。
具体创建sa 和sa的token请参考文章: 【k8s】给ServiceAccount 创建关联的 Secrets-CSDN博客
创建sa apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:namespace: jtkjdevname: gitcicd-role
rules:
- apiGroups: [apps]resources: [deployments]verbs: [delete,get,create]
- apiGroups: []resources: [services]verbs: [delete,create,get,list]---
apiVersion: v1
kind: ServiceAccount
metadata:namespace: jtkjdevname: gitcicd-sa---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:namespace: jtkjdevname: gitcicd-role-sa-binding
subjects:
- kind: ServiceAccountname: gitcicd-sanamespace: jtkjdev
roleRef:kind: Rolename: gitcicd-roleapiGroup: rbac.authorization.k8s.io---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:namespace: jtkjdevname: gitcicd-sa-secretannotations:kubernetes.io/service-account.name: gitcicd-sa
kubeconfig文件结构
apiVersion: v1
clusters:
- cluster:certificate-authority-data: 【k8s集群中的顶级根证书ca.crt】server: https://xxx.xxx.218.119:6443name: mytest 【这个名称自己随便定义一般定义k8s集群的名称方便管理】contexts: 【context 是用来把上下文和下面的user关联起来】
- context:cluster: mytest user: gitcicd-saname: gitcicd-samytest current-context: gitcicd-samytest 【给kubeconfig文件中会有个上下文通过current-context来指定当前用哪个】kind: Config
preferences: {}
users: 【配置关联的用户,如自己创建的sa】
- name: gitcicd-sa1user: [这种方式是使用证书的验证客户的方式]client-certificate-data: 【这个客户端证书是由k8s集群中的顶级根证书签名过的】client-key-data: 【客户端私钥可以自己用openssl 工具生成】- name: gitcicd-sauser:token: $TOKEN 【这个token是sa类型用户gitcicd-sa中的secret中的token可以通过kubectl describe secrets gitcicd-sa-secret -n jtkjdev获取】创建过程
1、kubeconfig文件中的 cluster部分
kubectl config --kubeconfigconfig-demo set-cluster development --serverhttps://xx.xx.218.119:6443 --embed-certs --certificate-authorityca.crt【可以把k8s集群中的顶级根证书拷贝到当前命令执行目录】 这个指令会在/root/.kube/ 目录生成一个: config-demo 文件。内容如下:
apiVersion: v1
clusters:
- cluster:certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJTXRFODhEUUV2NUF3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TkRFeE1UTXhOVE0yTXpWYUZ3MHpOREV4TVRFeE5UUXhNelZhTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUUMrRUpXemNadkF4a1lxWHZ0Q05POFRUcFluNjkzMTR1aUUySzNzV3BoR25ySjlOdUNVeEVuaHRmdW8KN09xQWt6MkZGbzNWSFRpYnB1ekFZVUxsL3VwV0F2RE12NnI2WHpFT0JLaHlCU09ZR3ZjSlpKNXJpcFVrSjNVcgpZZzlFMW1QaDNDc0o2Mmx0b3NLbW8vZ1BrUDZITXlSSWdMMFpQY2VzTFVBbHE3Y0FURTBMRXI0azdaYitaeTZxCjNnVDU5eHR1RTE4dkZOVUpBNE90cjJHRVpLajJ6OXFqRUR1clB5L0tHcmF6NWRqQWx6dTJFSy8zU3RxTXRhRnYKRkw1dkxFQmlydmNlR0w1RDVGc0Z5dkhsOEIvWUljTUU4cnUwV2ZRbEhZMjJIdVR0Q0VGSTRtd3Fpek1CcXd2TwptVGdSSDlmTmxaMWZaS20yWWY0bkR3SlJBOWhMQWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJRU3FxMzBlSERJbklFWGpSTnlOb3JDSFpxT3JqQVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQmk1bi9GYUFmaApMTGttNjFtSjBZSlNEN3RTSzUxc2JKcldGc3JvSWwzeEMzZFhnVW16dTFONkh6MGVMQkQ4aUo4ZnlNcllPQ2xkClgyR2Z6ell5azQza3J5OVlicnhDMnZOSU5GdWJjUDdtKzRUWC9ycHFzdmJXRVJTY21MM2o5SmJWaDFBVHZyR2kKVzlOWVM2WGlEay9JRlhYVkthZ091TituT0xvS1FHM1ZwZGdncTdZYnN5V0JDZXZZR1h0VVE0cWNqeDIwUjVxSwo3em1ZdEtCUlVJQTRLdkRlWm1ZeThmUWxmWkNVa2JKY0hxZ0ZiVE5uVU1Bd3ZoWnorOVBIZ2lHSm5rUHQzYXBkCk55bjduQ05MWGs5dEZ3Tzl5VHQyN3BGTy9xTGhqcnFGakVkampqTkd1bFNxcjY4SzFUeGs4cGR4R1hWWHhpcE0KL2hiMkszZm41dHE0Ci0tLS0tRU5EIENFUlRJRxxxxx11111server: https://.30.xx8.xx9:6443name: developmentcontexts:
- context:cluster: user: name: current-context: nullkind: Config
preferences: {}
users:
- name: gitcicd-sa1user: token: null2、获取gitcicd-sa的token kubectl describe secrets gitcicd-sa-secret -n jtkjdev
[rootiZ2vc6igbukkxw6rbl64ljZ .kube]# kubectl describe secrets gitcicd-sa-secret -n jtkjdevName: gitcicd-sa-secret
Namespace: jtkjdev
Labels: kubernetes.io/legacy-token-last-used2024-12-03
Annotations: kubernetes.io/service-account.name: gitcicd-sakubernetes.io/service-account.uid: 1c19d7e6-18c7-488b-8187-5fef65d9dc99Type: kubernetes.io/service-account-tokenDataca.crt: 1107 bytes
namespace: 7 bytes
token: 11111111111111111111111WxhQnpKczJEQ0V4WXdmbFVMNk9UaVA0aVlEb042XzQifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJqdGtqZGV2Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImdpdGNpY2Qtc2Etc2VjcmV0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImdpdGNpY2Qtc2EiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIxYzE5ZDdlNi0xOGM3LTQ4OGItODE4Ny01ZmVmNjVkOWRjOTkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6anRramRldjpnaXRjaWNkLXNhIn0.l5MAZPAc6w6aGmDIk_1_WqIspjwGhCLjjw1YoI9yebaow_3q1P6eSqjYIKD1_hYX_l4tn03DnUcJrNr8R9KPnfSJbcfuOuZVq9K7mm8j46tAPiVIzgVkKf4e6PxPw9IRmFuD2lQaJH8n9jVscL8Cw4y1j0KxPcK_po-Bpvpy0JRR5Pc7hYlnBIqSElqqcqM5LtSWK6adwQ4bdxwu7bMlmSYp5nFencvCLKnRKX-UVOf_S-SFabbv0Zn8wkx6NTJ0uxfqkSePtY2vLAkCgyivhjWhSKqlok1anj5kzSa-ol-6IPQI4WSEAx-jkfiqjIyN11111111111111
3、把获取的token添加到config-demo文件
apiVersion: v1
clusters:
- cluster:certificate-authority-data: LccccccRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJTXRFODhEUUV2NUF3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TkRFeE1UTXhOVE0yTXpWYUZ3MHpOREV4TVRFeE5UUXhNelZhTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUUMrRUpXemNadkF4a1lxWHZ0Q05POFRUcFluNjkzMTR1aUUySzNzV3BoR25ySjlOdUNVeEVuaHRmdW8KN09xQWt6MkZGbzNWSFRpYnB1ekFZVUxsL3VwV0F2RE12NnI2WHpFT0JLaHlCU09ZR3ZjSlpKNXJpcFVrSjNVcgpZZzlFMW1QaDNDc0o2Mmx0b3NLbW8vZ1BrUDZITXlSSWdMMFpQY2VzTFVBbHE3Y0FURTBMRXI0azdaYitaeTZxCjNnVDU5eHR1RTE4dkZOVUpBNE90cjJHRVpLajJ6OXFqRUR1clB5L0tHcmF6NWRqQWx6dTJFSy8zU3RxTXRhRnYKRkw1dkxFQmlydmNlR0w1RDVGc0Z5dkhsOEIvWUljTUU4cnUwV2ZRbEhZMjJIdVR0Q0VGSTRtd3Fpek1CcXd2TwptVGdSSDlmTmxaMWZaS20yWWY0bkR3SlJBOWhMQWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJRU3FxMzBlSERJbklFWGpSTnlOb3JDSFpxT3JqQVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQmk1bi9GYUFmaApMTGttNjFtSjBZSlNEN3RTSzUxc2JKcldGc3JvSWwzeEMzZFhnVW16dTFONkh6MGVMQkQ4aUo4ZnlNcllPQ2xkClgyR2Z6ell5azQza3J5OVlicnhDMnZOSU5GdWJjUDdtKzRUWC9ycHFzdmJXRVJTY21MM2o5SmJWaDFBVHZyR2kKVzlOWVM2WGlEay9JRlhYVkthZ091TituT0xvS1FHM1ZwZGdncTdZYnN5V0JDZXZZR1h0VVE0cWNqeDIwUjVxSwo3em1ZdEtCUlVJQTRLdkRlWm1ZeThmUWxmWkNVa2JKY0hxZ0ZiVE5uVU1Bd3ZoWnorOVBIZ2lHSm5rUHQzYXBkCk55bjduQ05MWGs5xxxxxxxxxxxxxxxserver: https://1cccc.cccc.218.119:6443name: developmentcontexts:
- context:cluster: developmentuser: gitcicd-saname: gitcicd-sadevelopmentcurrent-context: gitcicd-sadevelopmentkind: Config
preferences: {}
users:
- name: gitcicd-sauser: token: cccccc4eERERG9WNWxhQnpKczJEQ0V4WXdmbFVMNk9UaVA0aVlEb042XzQifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJqdGtqZGV2Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImdpdGNpY2Qtc2Etc2VjcmV0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImdpdGNpY2Qtc2EiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIxYzE5ZDdlNi0xOGM3LTQ4OGItODE4Ny01ZmVmNjVkOWRjOTkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6anRramRldjpnaXRjaWNkLXNhIn0.l5MAZPAc6w6aGmDIk_1_WqIspjwGhCLjjw1YoI9yebaow_3q1P6eSqjYIKD1_hYX_l4tn03DnUcJrNr8R9KPnfSJbcfuOuZVq9K7mm8j46tAccccccc同时添加context相关信息
4、然后使用 kubectl --kubeconfig config-demo get pods -n jtkjdev
[root]# kubectl --kubeconfig config-demo get pods -n jtkjdev
Error from server (Forbidden): pods is forbidden: User system:serviceaccount:jtkjdev:gitcicd-sa cannot list resource pods in API group in the namespace jtkjdev提示没有权限因为上面创建的gitcicd-ca用户是没有 获取pods权限的 kubectl --kubeconfig config-demo get svc -n jtkjdev
由于sa绑定的角色有 svc 的list权限所以可以查询 然后通过调整gitlabcicd-sa这个用户的角色内容就可以很好的控制它的权限
