新建Token来访问K8S apiserver

我们管理K8s主要有两种方式，1是通过服务器上面的kubectl客户端，第二个就是api方式进行访问

然后如果我们直接访问k8s 的api server，会报403，这是因为匿名账号没有权限，如下：

[root@k8s-master-202 api_user]# curl -k https://192.168.200.202:6443/api/
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {

},
"status": "Failure",
"message": "forbidden: User \"system:anonymous\" cannot get path \"/api/\"",
"reason": "Forbidden",
"details": {

},
"code": 403

1、新建管理员账号

新建一个createaccount.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
name: hl-admin #账号名
namespace: kube-system

在服务器上面执行

[root@k8s-master-202 api_user]# kubectl apply -f createaccount.yaml
serviceaccount/hl-admin created

查看新建的账号

[root@k8s-master-202 api_user]# kubectl get sa -n kube-system | grep admin
hl-admin 1 63m

2、授权管理员权限

vim rulebinding.yaml

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: hl-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: hl-admin
namespace: kube-system

[root@k8s-master-202 api_user]# kubectl apply -f rulebinding.yaml
Warning: rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding
clusterrolebinding.rbac.authorization.k8s.io/hl-admin created

3、查看token

[root@k8s-master-202 api_user]# kubectl get secret -n kube-system| grep hl-admin
hl-admin-token-nrsln kubernetes.io/service-account-token 3 4m9s
[root@k8s-master-202 api_user]# kubectl describe secret hl-admin-token-nrsln -n kube-system | grep token
Name: hl-admin-token-nrsln
Type: kubernetes.io/service-account-token
token: eyJhbGciOiJSUzI1NiIsImtpZCI6InJGclJZVlBhbdsfsdddgdJtTlItdXhxS2ppaUF5dFBuTERMZXQ2em8ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJobC1hZG1pbi10b2tlbi1ucnNsbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJobC1hZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjQ4OWFmMzM5LTU0OTUtNDBmZC05NDgzLTY4ZGYzMDM1NWE3MyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTpobC1hZG1pbiJ9.dWSleE3ko1cEn-ItLhrVRKz8ST9VVcMgonmZfmkDoAKPIqMx02zg_Ahq4aMawOx1v0xQwfz344rnZJTnJxkunMhMXBcaC5c4tYZc2UQPfx7OVkGKrwuw4B2LHolLKsjva_jJNcvvFjSlwS1n2L_5Bo_bFqgwokZlrBFvFiR0OcdlWV3FRbH3tF73X_jVF35olvjT8DNP7uuL-_PTMdB-LwMXZ3o3SsXnBF_duPLA30xQX_uIrodQmfQNkz4ykVI7gBgrPVQ7Cj93XZp5wf-hYd5UdTxsipj4fs6Y0iGeYQNX9kULUtjzCSQS7PUyCqu7RBT7idij6-lJYqDHUSfz1w

4、测试访问api-server

可以正常访问,这里用-k 忽略掉了https证书

[root@k8s-master-202 api_user]# curl -H "Authorization: Bearer eyJhbGciOiJSUzfdgdfgmtpZCI6InJGclJZVlBhblFDYmRfOWdKNTJtTlItdXhxS2ppaUF5dFBuTERMZXQ2em8ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJobC1hZG1pbi10b2tlbi1ucnNsbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJobC1hZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjQ4OWFmMzM5LTU0OTUtNDBmZC05NDgzLTY4ZGYzMDM1NWE3MyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTpobC1hZG1pbiJ9.dWSleE3ko1cEn-ItLhrVRKz8ST9VVcMgonmZfmkDoAKPIqMx02zg_Ahq4aMawOx1v0xQwfz344rnZJTnJxkunMhMXBcaC5c4tYZc2UQPfx7OVkGKrwuw4B2LHolLKsjva_jJNcvvFjSlwS1n2L_5Bo_bFqgwokZlrBFvFiR0OcdlWV3FRbH3tF73X_jVF35olvjT8DNP7uuL-_PTMdB-LwMXZ3o3SsXnBF_duPLA30xQX_uIrodQmfQNkz4ykVI7gBgrPVQ7Cj93XZp5wf-hYd5UdTxsipj4fs6Y0iGeYQNX9kULUtjzCSQS7PUyCqu7RBT7idij6-lJYqDHUSfz1w" -k https://192.168.2.202:6443/api/
{
"kind": "APIVersions",
"versions": [
"v1"
],
"serverAddressByClientCIDRs": [
{
"clientCIDR": "0.0.0.0/0",
"serverAddress": "192.168.200.202:6443"
}
]
}

5、使用https证书访问api-server

curl -H "Authorization: Bearer eyJhbGciOiJSUzdfssImtpZCIggg6InJGclJZVlBhblFDYmRfOWdKNTJtTlItdXhxS2ppaUF5dFBuTERMZXQ2em8ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJobC1hZG1pbi10b2tlbi1ucnNsbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJobC1hZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjQ4OWFmMzM5LTU0OTUtNDBmZC05NDgzLTY4ZGYzMDM1NWE3MyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTpobC1hZG1pbiJ9.dWSleE3ko1cEn-ItLhrVRKz8ST9VVcMgonmZfmkDoAKPIqMx02zg_Ahq4aMawOx1v0xQwfz344rnZJTnJxkunMhMXBcaC5c4tYZc2UQPfx7OVkGKrwuw4B2LHolLKsjva_jJNcvvFjSlwS1n2L_5Bo_bFqgwokZlrBFvFiR0OcdlWV3FRbH3tF73X_jVF35olvjT8DNP7uuL-_PTMdB-LwMXZ3o3SsXnBF_duPLA30xQX_uIrodQmfQNkz4ykVI7gBgrPVQ7Cj93XZp5wf-hYd5UdTxsipj4fs6Y0iGeYQNX9kULUtjzCSQS7PUyCqu7RBT7idij6-lJYqDHUSfz1w"
https://192.168.200.202:6443/api/ -cacert /etc/kubernetes/pki/ca.crt -cert /etc/kubernetes/pki/apiserver-kubelet-client.crt -key /etc/kubernetes/pki/apiserver-kubelet-client.key

正常返回

posted @ 2022-06-10 14:08 技术颜良阅读(910) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

技术颜良

新建Token来访问K8S apiserver

公告