#kubernetes
#kubernetes
Вопрос:
Сообщество:
Я использовал kubeadm для настройки kubernetes.
Я использовал файл YAML для создания serviceaccount, роли и привязки ролей к serviceaccount.
Затем я сворачиваю модули в пространстве имен по умолчанию, kubernetes всегда возвращает «Неавторизованный»
Я не знаю, что именно я здесь ошибся.
Файл yaml выглядит следующим образом:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: pzhang-test
namespace: default
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default
subjects:
- kind: ServiceAccount
name: pzhang-test
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
секреты и токен, как показано ниже:
root@robota:~# kubectl get secrets
NAME TYPE DATA AGE
default-token-9kg87 kubernetes.io/service-account-token 3 2d6h
pzhang-test-token-wz9zj kubernetes.io/service-account-token 3 29m
root@robota:~# kubectl get secrets pzhang-test-token-wz9zj -o yaml
apiVersion: v1
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNU1ETXlOekF6TkRjd04xb1hEVEk1TURNeU5EQXpORGN3TjFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTFpHCkUxajJaQnBrdzhsSmRRa2lDSlI1N1J6N0lXendudmtvNVlUK1BneXhqZm5NUjJXaWV3M3F0QWZEdi9oOWI3OUcKN1dTRFFCWG9qcmFkQjNSTTROVHhTNktCQlg1SlF6K2JvQkNhTG5hZmdQcERueHc3T082VjJLY1crS2k5ZHlOeApDQ1RTNTVBRWc3OTRkL3R1LzBvcDhLUjhhaDlMdS8zeVNRdk0zUzFsRW02c21YSmVqNVAzRGhDbUVDT1RnTHA1CkZQSStuWFNNTS83cWpYd0N4WjUyZFZSR3U0Y0NYZVRTWlBSM1R0UzhuU3luZ2ZiN1NVM1dYbFZvQVIxcXVPdnIKb2xqTmllbEFBR1lIaDNUMTJwT01HMUlOakRUNVVrdEM5TWJYeDZoRFc5ZkxwNTFkTEt4bnN5dUtsdkRXVDVOWQpwSDE5UTVvbDJRaVpnZzl0K2Y4Q0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFHb2RnL0ozMUhRQkVOZVNrdEF4dS9WRU43NmQKZ1k2NG5aRTdDQTZJY2pXaEJBNmlpblh3S0E1Q0JuVEVxS05QVEdWTG5KWVd4WDlwVE9jZkhWTkROT3RDV0N4NApDN3JMWjZkRDJrUGs2UUVYSEg3MXJ4cUdKS21WbFJ0UytrOC9NdHAzNmxFVE5LTUc5VXI1RUNuWDg0dVZ5dUViCnRWWlRUcnZPQmNDSzAyQ2RSN3Q0V3pmb0FPSUFkZ1ZTd0xxVGVIdktRR1orM1JXOWFlU2ZwWnpsZDhrQlZZVzkKN1MvYXU1c3NIeHIwVG85ZStrYlhqNDl5azJjU2hKa1Y2M3JOTjN4SEZBeHdzUUVZYTNMZ1ZGWFlHYTJFWHdWdwpLbXRUZmhoQWE0Ujd5dW5SdkIrdndac3ZwbHc2RmhQQldHVTlpQnA3aU9vU0ZWVmNlMUltUks3VkRqbz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
namespace: ZGVmYXVsdA==
token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1Z6TDNObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSmtaV1poZFd4MElpd2lhM1ZpWlhKdVpYUmxjeTVwYnk5elpYSjJhV05sWVdOamIzVnVkQzl6WldOeVpYUXVibUZ0WlNJNkluQjZhR0Z1WnkxMFpYTjBMWFJ2YTJWdUxYZDZPWHBxSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXpaWEoyYVdObExXRmpZMjkxYm5RdWJtRnRaU0k2SW5CNmFHRnVaeTEwWlhOMElpd2lhM1ZpWlhKdVpYUmxjeTVwYnk5elpYSjJhV05sWVdOamIzVnVkQzl6WlhKMmFXTmxMV0ZqWTI5MWJuUXVkV2xrSWpvaVlURTNPR1F3T1RrdE5USXdZaTB4TVdVNUxUa3lNMlF0TURBd1l6STVZbVJrTlRBMklpd2ljM1ZpSWpvaWMzbHpkR1Z0T25ObGNuWnBZMlZoWTJOdmRXNTBPbVJsWm1GMWJIUTZjSHBvWVc1bkxYUmxjM1FpZlEubnNlY1lPTjJkRUIwLVVSdXFJNm1tQVJlOHBSRGlES01STXJvRHc5SThIU24wNE9Qd0JvUzdhSDRsNjlSQ19SMDFNNUp0Rm9OcVFsWjlHOGJBNW81MmsxaVplMHZJZnEzNVkzdWNweF95RDlDT2prZ0xCU2k1MXgycUtURkE5eU15QURoaTFzN2ttT2d0VERDRVpmS1l3ME1vSjgtQUZPcXJkVndfZU15a2NGU3ZpYWVEQTRYNjFCNzhXYWpYcUttbXdfTUN1XzZVaG4wdklOa3pqbHBLaGs5anRlb0JvMFdGX0c3b1RzZXJVOTRuSGNCWkYwekRQcEpXTzlEVlc1a1B0Mm1Fem1NeWJoeVBfNTBvS0NKMTB4NGF4UzlIdXlwOTZ4SzV0NmNZZVNrQkx4bmVEb19wNzlyUlNXX1FLWFZCWm1UaWI1RHlZUHZxSGdSRFJiMG5B
kind: Secret
metadata:
annotations:
kubernetes.io/service-account.name: pzhang-test
kubernetes.io/service-account.uid: a178d099-520b-11e9-923d-000c29bdd506
creationTimestamp: "2019-03-29T10:15:51Z"
name: pzhang-test-token-wz9zj
namespace: default
resourceVersion: "77488"
selfLink: /api/v1/namespaces/default/secrets/pzhang-test-token-wz9zj
uid: a179dae0-520b-11e9-923d-000c29bdd506
type: kubernetes.io/service-account-token
# the TOKEN is:
root@robota:~# echo $TOKEN
ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1Z6TDNObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSmtaV1poZFd4MElpd2lhM1ZpWlhKdVpYUmxjeTVwYnk5elpYSjJhV05sWVdOamIzVnVkQzl6WldOeVpYUXVibUZ0WlNJNkluQjZhR0Z1WnkxMFpYTjBMWFJ2YTJWdUxYZDZPWHBxSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXpaWEoyYVdObExXRmpZMjkxYm5RdWJtRnRaU0k2SW5CNmFHRnVaeTEwWlhOMElpd2lhM1ZpWlhKdVpYUmxjeTVwYnk5elpYSjJhV05sWVdOamIzVnVkQzl6WlhKMmFXTmxMV0ZqWTI5MWJuUXVkV2xrSWpvaVlURTNPR1F3T1RrdE5USXdZaTB4TVdVNUxUa3lNMlF0TURBd1l6STVZbVJrTlRBMklpd2ljM1ZpSWpvaWMzbHpkR1Z0T25ObGNuWnBZMlZoWTJOdmRXNTBPbVJsWm1GMWJIUTZjSHBvWVc1bkxYUmxjM1FpZlEubnNlY1lPTjJkRUIwLVVSdXFJNm1tQVJlOHBSRGlES01STXJvRHc5SThIU24wNE9Qd0JvUzdhSDRsNjlSQ19SMDFNNUp0Rm9OcVFsWjlHOGJBNW81MmsxaVplMHZJZnEzNVkzdWNweF95RDlDT2prZ0xCU2k1MXgycUtURkE5eU15QURoaTFzN2ttT2d0VERDRVpmS1l3ME1vSjgtQUZPcXJkVndfZU15a2NGU3ZpYWVEQTRYNjFCNzhXYWpYcUttbXdfTUN1XzZVaG4wdklOa3pqbHBLaGs5anRlb0JvMFdGX0c3b1RzZXJVOTRuSGNCWkYwekRQcEpXTzlEVlc1a1B0Mm1Fem1NeWJoeVBfNTBvS0NKMTB4NGF4UzlIdXlwOTZ4SzV0NmNZZVNrQkx4bmVEb19wNzlyUlNXX1FLWFZCWm1UaWI1RHlZUHZxSGdSRFJiMG5B
Я использую эту команду:
root@robota:~# curl --cacert ./ca.crt --header "Authorization: Bearer $TOKEN" https://192.16.208.142:6443/api/v1/namespaces/default/pods
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "Unauthorized",
"reason": "Unauthorized",
"code": 401
}
Как вы можете видеть, curl возвращает:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "Unauthorized",
"reason": "Unauthorized",
"code": 401
}
Я ожидал, что результатом будет список модулей в моем default
пространстве имен
root@robota:~# kubectl get pods -n default
NAME READY STATUS RESTARTS AGE
my-nginx-64fc468bd4-8fq6j 1/1 Running 0 2d6h
my-nginx-64fc468bd4-ffkhb 1/1 Running 0 2d6h
Ответ №1:
может быть, вы можете попробовать:
TOKEN=$(kubectl get secret pzhang-test-token-wz9zj -o yaml | grep "token:" | awk '{print $2}' | base64 -d)
kubectl get secret prometheus-k8s-token-x8t45 -o yaml | grep "ca.crt" | awk '{print $2}' | base64 -d > ca.crt
curl -H "Authorization: Bearer $TOKEN" --cacert ca.crt https://192.16.208.142:6443/api/v1/namespaces/default/pods
Комментарии:
1. Спасибо, я понял, что не должен копировать токен напрямую из secret, я также пропускаю эту часть
base64 -d
.