需求
创建一个基于sa的token的kubeconfig文件,并用这个文件来访问集群。
具体创建sa 和sa的token请参考文章: 【k8s】给ServiceAccount 创建关联的 Secrets-CSDN博客
创建sa
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: jtkjdev
name: gitcicd-role
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["delete","get","create"]
- apiGroups: [""]
resources: ["services"]
verbs: ["delete","create","get","list"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: jtkjdev
name: gitcicd-sa
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
namespace: jtkjdev
name: gitcicd-role-sa-binding
subjects:
- kind: ServiceAccount
name: gitcicd-sa
namespace: jtkjdev
roleRef:
kind: Role
name: gitcicd-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
namespace: jtkjdev
name: gitcicd-sa-secret
annotations:
kubernetes.io/service-account.name: "gitcicd-sa"kubeconfig文件结构
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: 【k8s集群中的顶级根证书ca.crt】
server: https://xxx.xxx.218.119:6443
name: mytest 【这个名称自己随便定义,一般定义k8s集群的名称,方便管理】
contexts: 【context 是用来把上下文和下面的user关联起来】
- context:
cluster: mytest
user: gitcicd-sa
name: gitcicd-sa@mytest
current-context: gitcicd-sa@mytest 【给kubeconfig文件中会有个上下文,通过current-context来指定当前用哪个】
kind: Config
preferences: {}
users: 【配置关联的用户,如自己创建的sa】
- name: gitcicd-sa1
user: [这种方式是使用证书的验证客户的方式]
client-certificate-data: 【这个客户端证书是由k8s集群中的顶级根证书签名过的】
client-key-data: 【客户端私钥,可以自己用openssl 工具生成】
- name: gitcicd-sa
user:
token: $TOKEN 【这个token是sa类型用户:gitcicd-sa中的secret中的token,可以通过kubectl describe secrets gitcicd-sa-secret -n jtkjdev获取】
创建过程
1、kubeconfig文件中的 cluster部分
kubectl config --kubeconfig=config-demo set-cluster development --server=https://xx.xx.218.119:6443 --embed-certs --certificate-authority=ca.crt
【可以把k8s集群中的顶级根证书拷贝到当前命令执行目录】这个指令会在/root/.kube/ 目录生成一个: config-demo 文件。内容如下:
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJTXRFODhEUUV2NUF3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TkRFeE1UTXhOVE0yTXpWYUZ3MHpOREV4TVRFeE5UUXhNelZhTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUUMrRUpXemNadkF4a1lxWHZ0Q05POFRUcFluNjkzMTR1aUUySzNzV3BoR25ySjlOdUNVeEVuaHRmdW8KN09xQWt6MkZGbzNWSFRpYnB1ekFZVUxsL3VwV0F2RE12NnI2WHpFT0JLaHlCU09ZR3ZjSlpKNXJpcFVrSjNVcgpZZzlFMW1QaDNDc0o2Mmx0b3NLbW8vZ1BrUDZITXlSSWdMMFpQY2VzTFVBbHE3Y0FURTBMRXI0azdaYitaeTZxCjNnVDU5eHR1RTE4dkZOVUpBNE90cjJHRVpLajJ6OXFqRUR1clB5L0tHcmF6NWRqQWx6dTJFSy8zU3RxTXRhRnYKRkw1dkxFQmlydmNlR0w1RDVGc0Z5dkhsOEIvWUljTUU4cnUwV2ZRbEhZMjJIdVR0Q0VGSTRtd3Fpek1CcXd2TwptVGdSSDlmTmxaMWZaS20yWWY0bkR3SlJBOWhMQWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJRU3FxMzBlSERJbklFWGpSTnlOb3JDSFpxT3JqQVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQmk1bi9GYUFmaApMTGttNjFtSjBZSlNEN3RTSzUxc2JKcldGc3JvSWwzeEMzZFhnVW16dTFONkh6MGVMQkQ4aUo4ZnlNcllPQ2xkClgyR2Z6ell5azQza3J5OVlicnhDMnZOSU5GdWJjUDdtKzRUWC9ycHFzdmJXRVJTY21MM2o5SmJWaDFBVHZyR2kKVzlOWVM2WGlEay9JRlhYVkthZ091TituT0xvS1FHM1ZwZGdncTdZYnN5V0JDZXZZR1h0VVE0cWNqeDIwUjVxSwo3em1ZdEtCUlVJQTRLdkRlWm1ZeThmUWxmWkNVa2JKY0hxZ0ZiVE5uVU1Bd3ZoWnorOVBIZ2lHSm5rUHQzYXBkCk55bjduQ05MWGs5dEZ3Tzl5VHQyN3BGTy9xTGhqcnFGakVkampqTkd1bFNxcjY4SzFUeGs4cGR4R1hWWHhpcE0KL2hiMkszZm41dHE0Ci0tLS0tRU5EIENFUlRJRxxxxx11111
server: https://.30.xx8.xx9:6443
name: development
contexts:
- context:
cluster:
user:
name:
current-context: null
kind: Config
preferences: {}
users:
- name: gitcicd-sa1
user:
token: null
2、获取gitcicd-sa的token
kubectl describe secrets gitcicd-sa-secret -n jtkjdev
[root@iZ2vc6igbukkxw6rbl64ljZ .kube]# kubectl describe secrets gitcicd-sa-secret -n jtkjdev
Name: gitcicd-sa-secret
Namespace: jtkjdev
Labels: kubernetes.io/legacy-token-last-used=2024-12-03
Annotations: kubernetes.io/service-account.name: gitcicd-sa
kubernetes.io/service-account.uid: 1c19d7e6-18c7-488b-8187-5fef65d9dc99
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1107 bytes
namespace: 7 bytes
token: 11111111111111111111111WxhQnpKczJEQ0V4WXdmbFVMNk9UaVA0aVlEb042XzQifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJqdGtqZGV2Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImdpdGNpY2Qtc2Etc2VjcmV0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImdpdGNpY2Qtc2EiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIxYzE5ZDdlNi0xOGM3LTQ4OGItODE4Ny01ZmVmNjVkOWRjOTkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6anRramRldjpnaXRjaWNkLXNhIn0.l5MAZPAc6w6aGmDIk_1_WqIspjwGhCLjjw1YoI9yebaow_3q1P6eSqjYIKD1_hYX_l4tn03DnUcJrNr8R9KPnfSJbcfuOuZVq9K7mm8j46tAPiVIzgVkKf4e6PxPw9IRmFuD2lQaJH8n9jVscL8Cw4y1j0KxPcK_po-Bpvpy0JRR5Pc7hYlnBIqSElqqcqM5LtSWK6adwQ4bdxwu7bMlmSYp5nFencvCLKnRKX-UVOf_S-SFabbv0Zn8wkx6NTJ0uxfqkSePtY2vLAkCgyivhjWhSKqlok1anj5kzSa-ol-6IPQI4WSEAx-jkfiqjIyN111111111111113、把获取的token添加到config-demo文件
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LccccccRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJTXRFODhEUUV2NUF3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TkRFeE1UTXhOVE0yTXpWYUZ3MHpOREV4TVRFeE5UUXhNelZhTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUUMrRUpXemNadkF4a1lxWHZ0Q05POFRUcFluNjkzMTR1aUUySzNzV3BoR25ySjlOdUNVeEVuaHRmdW8KN09xQWt6MkZGbzNWSFRpYnB1ekFZVUxsL3VwV0F2RE12NnI2WHpFT0JLaHlCU09ZR3ZjSlpKNXJpcFVrSjNVcgpZZzlFMW1QaDNDc0o2Mmx0b3NLbW8vZ1BrUDZITXlSSWdMMFpQY2VzTFVBbHE3Y0FURTBMRXI0azdaYitaeTZxCjNnVDU5eHR1RTE4dkZOVUpBNE90cjJHRVpLajJ6OXFqRUR1clB5L0tHcmF6NWRqQWx6dTJFSy8zU3RxTXRhRnYKRkw1dkxFQmlydmNlR0w1RDVGc0Z5dkhsOEIvWUljTUU4cnUwV2ZRbEhZMjJIdVR0Q0VGSTRtd3Fpek1CcXd2TwptVGdSSDlmTmxaMWZaS20yWWY0bkR3SlJBOWhMQWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJRU3FxMzBlSERJbklFWGpSTnlOb3JDSFpxT3JqQVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQmk1bi9GYUFmaApMTGttNjFtSjBZSlNEN3RTSzUxc2JKcldGc3JvSWwzeEMzZFhnVW16dTFONkh6MGVMQkQ4aUo4ZnlNcllPQ2xkClgyR2Z6ell5azQza3J5OVlicnhDMnZOSU5GdWJjUDdtKzRUWC9ycHFzdmJXRVJTY21MM2o5SmJWaDFBVHZyR2kKVzlOWVM2WGlEay9JRlhYVkthZ091TituT0xvS1FHM1ZwZGdncTdZYnN5V0JDZXZZR1h0VVE0cWNqeDIwUjVxSwo3em1ZdEtCUlVJQTRLdkRlWm1ZeThmUWxmWkNVa2JKY0hxZ0ZiVE5uVU1Bd3ZoWnorOVBIZ2lHSm5rUHQzYXBkCk55bjduQ05MWGs5xxxxxxxxxxxxxxx
server: https://1cccc.cccc.218.119:6443
name: development
contexts:
- context:
cluster: development
user: gitcicd-sa
name: gitcicd-sa@development
current-context: gitcicd-sa@development
kind: Config
preferences: {}
users:
- name: gitcicd-sa
user:
token: cccccc4eERERG9WNWxhQnpKczJEQ0V4WXdmbFVMNk9UaVA0aVlEb042XzQifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJqdGtqZGV2Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImdpdGNpY2Qtc2Etc2VjcmV0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImdpdGNpY2Qtc2EiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIxYzE5ZDdlNi0xOGM3LTQ4OGItODE4Ny01ZmVmNjVkOWRjOTkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6anRramRldjpnaXRjaWNkLXNhIn0.l5MAZPAc6w6aGmDIk_1_WqIspjwGhCLjjw1YoI9yebaow_3q1P6eSqjYIKD1_hYX_l4tn03DnUcJrNr8R9KPnfSJbcfuOuZVq9K7mm8j46tAccccccc
同时添加context相关信息
4、然后使用
kubectl --kubeconfig config-demo get pods -n jtkjdev
[root]# kubectl --kubeconfig config-demo get pods -n jtkjdev
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:jtkjdev:gitcicd-sa" cannot list resource "pods" in API group "" in the namespace "jtkjdev"
提示没有权限,因为上面创建的gitcicd-ca用户是没有 获取pods权限的kubectl --kubeconfig config-demo get svc -n jtkjdev
由于sa绑定的角色有 svc 的list权限,所以可以查询
然后通过调整gitlabcicd-sa这个用户的角色内容,就可以很好的控制它的权限
