curl Kubernetes с токеном serivceaccount, он всегда возвращает «Несанкционированный»

#kubernetes

#kubernetes

Вопрос:

Сообщество:

Я использовал kubeadm для настройки kubernetes.

Я использовал файл YAML для создания serviceaccount, роли и привязки ролей к serviceaccount.

Затем я сворачиваю модули в пространстве имен по умолчанию, kubernetes всегда возвращает «Неавторизованный»

Я не знаю, что именно я здесь ошибся.

Файл yaml выглядит следующим образом:

 kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: pzhang-test
  namespace: default
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: ServiceAccount
  name:  pzhang-test
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
  

секреты и токен, как показано ниже:

 root@robota:~# kubectl get secrets
NAME                      TYPE                                  DATA   AGE
default-token-9kg87       kubernetes.io/service-account-token   3      2d6h
pzhang-test-token-wz9zj   kubernetes.io/service-account-token   3      29m
root@robota:~# kubectl get secrets pzhang-test-token-wz9zj -o yaml
apiVersion: v1
data:
  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNU1ETXlOekF6TkRjd04xb1hEVEk1TURNeU5EQXpORGN3TjFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTFpHCkUxajJaQnBrdzhsSmRRa2lDSlI1N1J6N0lXendudmtvNVlUK1BneXhqZm5NUjJXaWV3M3F0QWZEdi9oOWI3OUcKN1dTRFFCWG9qcmFkQjNSTTROVHhTNktCQlg1SlF6K2JvQkNhTG5hZmdQcERueHc3T082VjJLY1crS2k5ZHlOeApDQ1RTNTVBRWc3OTRkL3R1LzBvcDhLUjhhaDlMdS8zeVNRdk0zUzFsRW02c21YSmVqNVAzRGhDbUVDT1RnTHA1CkZQSStuWFNNTS83cWpYd0N4WjUyZFZSR3U0Y0NYZVRTWlBSM1R0UzhuU3luZ2ZiN1NVM1dYbFZvQVIxcXVPdnIKb2xqTmllbEFBR1lIaDNUMTJwT01HMUlOakRUNVVrdEM5TWJYeDZoRFc5ZkxwNTFkTEt4bnN5dUtsdkRXVDVOWQpwSDE5UTVvbDJRaVpnZzl0K2Y4Q0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFHb2RnL0ozMUhRQkVOZVNrdEF4dS9WRU43NmQKZ1k2NG5aRTdDQTZJY2pXaEJBNmlpblh3S0E1Q0JuVEVxS05QVEdWTG5KWVd4WDlwVE9jZkhWTkROT3RDV0N4NApDN3JMWjZkRDJrUGs2UUVYSEg3MXJ4cUdKS21WbFJ0UytrOC9NdHAzNmxFVE5LTUc5VXI1RUNuWDg0dVZ5dUViCnRWWlRUcnZPQmNDSzAyQ2RSN3Q0V3pmb0FPSUFkZ1ZTd0xxVGVIdktRR1orM1JXOWFlU2ZwWnpsZDhrQlZZVzkKN1MvYXU1c3NIeHIwVG85ZStrYlhqNDl5azJjU2hKa1Y2M3JOTjN4SEZBeHdzUUVZYTNMZ1ZGWFlHYTJFWHdWdwpLbXRUZmhoQWE0Ujd5dW5SdkIrdndac3ZwbHc2RmhQQldHVTlpQnA3aU9vU0ZWVmNlMUltUks3VkRqbz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  namespace: ZGVmYXVsdA==
  token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1Z6TDNObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSmtaV1poZFd4MElpd2lhM1ZpWlhKdVpYUmxjeTVwYnk5elpYSjJhV05sWVdOamIzVnVkQzl6WldOeVpYUXVibUZ0WlNJNkluQjZhR0Z1WnkxMFpYTjBMWFJ2YTJWdUxYZDZPWHBxSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXpaWEoyYVdObExXRmpZMjkxYm5RdWJtRnRaU0k2SW5CNmFHRnVaeTEwWlhOMElpd2lhM1ZpWlhKdVpYUmxjeTVwYnk5elpYSjJhV05sWVdOamIzVnVkQzl6WlhKMmFXTmxMV0ZqWTI5MWJuUXVkV2xrSWpvaVlURTNPR1F3T1RrdE5USXdZaTB4TVdVNUxUa3lNMlF0TURBd1l6STVZbVJrTlRBMklpd2ljM1ZpSWpvaWMzbHpkR1Z0T25ObGNuWnBZMlZoWTJOdmRXNTBPbVJsWm1GMWJIUTZjSHBvWVc1bkxYUmxjM1FpZlEubnNlY1lPTjJkRUIwLVVSdXFJNm1tQVJlOHBSRGlES01STXJvRHc5SThIU24wNE9Qd0JvUzdhSDRsNjlSQ19SMDFNNUp0Rm9OcVFsWjlHOGJBNW81MmsxaVplMHZJZnEzNVkzdWNweF95RDlDT2prZ0xCU2k1MXgycUtURkE5eU15QURoaTFzN2ttT2d0VERDRVpmS1l3ME1vSjgtQUZPcXJkVndfZU15a2NGU3ZpYWVEQTRYNjFCNzhXYWpYcUttbXdfTUN1XzZVaG4wdklOa3pqbHBLaGs5anRlb0JvMFdGX0c3b1RzZXJVOTRuSGNCWkYwekRQcEpXTzlEVlc1a1B0Mm1Fem1NeWJoeVBfNTBvS0NKMTB4NGF4UzlIdXlwOTZ4SzV0NmNZZVNrQkx4bmVEb19wNzlyUlNXX1FLWFZCWm1UaWI1RHlZUHZxSGdSRFJiMG5B
kind: Secret
metadata:
  annotations:
    kubernetes.io/service-account.name: pzhang-test
    kubernetes.io/service-account.uid: a178d099-520b-11e9-923d-000c29bdd506
  creationTimestamp: "2019-03-29T10:15:51Z"
  name: pzhang-test-token-wz9zj
  namespace: default
  resourceVersion: "77488"
  selfLink: /api/v1/namespaces/default/secrets/pzhang-test-token-wz9zj
  uid: a179dae0-520b-11e9-923d-000c29bdd506
type: kubernetes.io/service-account-token


# the TOKEN is:
root@robota:~# echo $TOKEN
ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1Z6TDNObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSmtaV1poZFd4MElpd2lhM1ZpWlhKdVpYUmxjeTVwYnk5elpYSjJhV05sWVdOamIzVnVkQzl6WldOeVpYUXVibUZ0WlNJNkluQjZhR0Z1WnkxMFpYTjBMWFJ2YTJWdUxYZDZPWHBxSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXpaWEoyYVdObExXRmpZMjkxYm5RdWJtRnRaU0k2SW5CNmFHRnVaeTEwWlhOMElpd2lhM1ZpWlhKdVpYUmxjeTVwYnk5elpYSjJhV05sWVdOamIzVnVkQzl6WlhKMmFXTmxMV0ZqWTI5MWJuUXVkV2xrSWpvaVlURTNPR1F3T1RrdE5USXdZaTB4TVdVNUxUa3lNMlF0TURBd1l6STVZbVJrTlRBMklpd2ljM1ZpSWpvaWMzbHpkR1Z0T25ObGNuWnBZMlZoWTJOdmRXNTBPbVJsWm1GMWJIUTZjSHBvWVc1bkxYUmxjM1FpZlEubnNlY1lPTjJkRUIwLVVSdXFJNm1tQVJlOHBSRGlES01STXJvRHc5SThIU24wNE9Qd0JvUzdhSDRsNjlSQ19SMDFNNUp0Rm9OcVFsWjlHOGJBNW81MmsxaVplMHZJZnEzNVkzdWNweF95RDlDT2prZ0xCU2k1MXgycUtURkE5eU15QURoaTFzN2ttT2d0VERDRVpmS1l3ME1vSjgtQUZPcXJkVndfZU15a2NGU3ZpYWVEQTRYNjFCNzhXYWpYcUttbXdfTUN1XzZVaG4wdklOa3pqbHBLaGs5anRlb0JvMFdGX0c3b1RzZXJVOTRuSGNCWkYwekRQcEpXTzlEVlc1a1B0Mm1Fem1NeWJoeVBfNTBvS0NKMTB4NGF4UzlIdXlwOTZ4SzV0NmNZZVNrQkx4bmVEb19wNzlyUlNXX1FLWFZCWm1UaWI1RHlZUHZxSGdSRFJiMG5B
  

Я использую эту команду:

 root@robota:~# curl --cacert ./ca.crt  --header "Authorization: Bearer $TOKEN"  https://192.16.208.142:6443/api/v1/namespaces/default/pods
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "Unauthorized",
  "reason": "Unauthorized",
  "code": 401
}
  

Как вы можете видеть, curl возвращает:

 {
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "Unauthorized",
  "reason": "Unauthorized",
  "code": 401
}
  

Я ожидал, что результатом будет список модулей в моем default пространстве имен

 root@robota:~# kubectl get pods -n default
NAME                        READY   STATUS    RESTARTS   AGE
my-nginx-64fc468bd4-8fq6j   1/1     Running   0          2d6h
my-nginx-64fc468bd4-ffkhb   1/1     Running   0          2d6h
  

Ответ №1:

может быть, вы можете попробовать:

 TOKEN=$(kubectl get secret pzhang-test-token-wz9zj -o yaml | grep "token:" | awk '{print $2}' | base64 -d)
  
 kubectl get secret prometheus-k8s-token-x8t45 -o yaml | grep "ca.crt" | awk '{print $2}' | base64 -d > ca.crt
  
 curl -H "Authorization: Bearer $TOKEN" --cacert ca.crt https://192.16.208.142:6443/api/v1/namespaces/default/pods
  

Комментарии:

1. Спасибо, я понял, что не должен копировать токен напрямую из secret, я также пропускаю эту часть base64 -d .