内容简介:使用TOKEN授权访问api-server在k8s运维场景中比较常见,apiserver有三种级别的客户端认证方式1,HTTPS证书认证:基于CA根证书签名的双向数字证书认证方式
使用TOKEN授权访问api-server在k8s运维场景中比较常见,
apiserver有三种级别的客户端认证方式
1,HTTPS证书认证:基于CA根证书签名的双向数字证书认证方式
2,HTTP Token认证:通过一个Token来识别合法用户
3,HTTP Base认证:通过用户名+密码的认证方式
通常的运维场景使用第二种Token较为方便Token的权限是关联service account,
# kubectl describe secrets admin-token-2q28f -n kube-system Name: admin-token-2q28f Namespace: kube-system Labels: <none> Annotations: kubernetes.io/service-account.name: admin kubernetes.io/service-account.uid: 93316ffa-7545-11e9-b617-00163e06992d Type: kubernetes.io/service-account-token Data ==== ca.crt: 1419 bytes namespace: 11 bytes token: eyJhbGciOiJ******
Service Account 的权限来自Clusterrolebinding-->ClusterRole
# kubectl describe serviceaccount admin -n kube-system Name: admin Namespace: kube-system Labels: <none> Annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"name":"admin","namespace":"kube-system"}} Image pull secrets: <none> Mountable secrets: admin-token-2q28f Tokens: admin-token-2q28f Events: <none>
通过clusterrolebinding 可以拿到ClusterRole对应的rolename
# kubectl get clusterrolebinding admin -o yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"rbac.authorization.k8s.io/v1beta1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"admin"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"cluster-admin"},"subjects":[{"kind":"ServiceAccount","name":"admin","namespace":"kube-system"}]} creationTimestamp: 2019-05-13T06:08:49Z name: admin resourceVersion: "1523" selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/admin uid: 93356439-7545-11e9-b617-00163e06992d roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: admin namespace: kube-system
这个role是什么权限?
# kubectl get clusterrole cluster-admin -o yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: 2019-05-13T06:01:10Z labels: kubernetes.io/bootstrapping: rbac-defaults name: cluster-admin resourceVersion: "55" selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-admin uid: 817e2b9e-7544-11e9-9766-00163e0e34c8 rules: - apiGroups: - '*' resources: - '*' verbs: - '*' - nonResourceURLs: - '*' verbs: - '*'
从clusterrole权限来看,admin关联的权限还是比较大的,正常的集群运维中建议根据自身的真实需要,去定制权限
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
了解完这些,分享一个小技巧,这样后面客户再有curl访问apiserver的需求,我相信你没问题了!
# kubectl describe secrets $(kubectl get secrets -n kube-system |grep admin |cut -f1 -d ' ') -n kube-system |grep -E '^token' |cut -f2 -d':'|tr -d '\t'|tr -d ' ' eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi0ycTI4ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjkzMzE2ZmZhLTc1NDUtMTFlOS1iNjE3LTAwMTYzZTA2OTkyZCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.EQzj2LsWn2k31m-ksn9GmB1bZTi1Xjw1fnmWFgRKlwhS2QAaVnDXfV_TgUovpq5oWKh7h0gTVaNaK4KKK76yAv6GfMehpOdIO5xHCfQAWVRhla1cwUDC64tz7vJ1zGcx_lz4hKfhdXN1T8FYS0B0hf3h2OloAMfCZTzDjRWz24GVwH-WRTEwY_5tav65GiZzBTsnz1vV7NOcx-Kl8AK2HbowtBYqK05x7oOmp84FiQMwpYU-7g0c03h61zev4lvf0e-HFtqKiByPi8gD-uiVRvE-xayOz5oIESWw2GfhzfNf_uyR7eLplCKUBecVMtwVsBauNaeqU-IIJW5VIHAOxw # TOKEN=$(kubectl describe secrets $(kubectl get secrets -n kube-system |grep admin |cut -f1 -d ' ') -n kube-system |grep -E '^token' |cut -f2 -d':'|tr -d '\t'|tr -d ' ') # kubectl config view |grep server|cut -f 2- -d ":" | tr -d " " https://192.168.0.130:6443 # APISERVER=$(kubectl config view |grep server|cut -f 2- -d ":" | tr -d " ")
使用curl访问apiserver
# curl -H "Authorization: Bearer $TOKEN" $APISERVER/api --insecure { "kind": "APIVersions", "versions": [ "v1" ], "serverAddressByClientCIDRs": [ { "clientCIDR": "0.0.0.0/0", "serverAddress": "192.168.0.130:6443" } ] }
本文作者:牧原
本文为云栖社区原创内容,未经允许不得转载。
以上所述就是小编给大家介绍的《如何使用curl访问k8s的apiserver》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!
猜你喜欢:- 如何使用不同语言访问bitcoinj
- 使用Fluentd + Elasticsearch收集访问日志
- [译] 使用Laravel访问前端Cookie
- python使用锁访问共享变量实例解析
- 使用.net通过odbc访问Hive
- golang如何使用sarama访问kafka
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
Spring in Action
Craig Walls / Manning Publications / 2011-6-29 / USD 49.99
Spring in Action, Third Edition has been completely revised to reflect the latest features, tools, practices Spring offers to java developers. It begins by introducing the core concepts of Spring and......一起来看看 《Spring in Action》 这本书的介绍吧!
XML、JSON 在线转换
在线XML、JSON转换工具
正则表达式在线测试
正则表达式在线测试