K8s获取token

使用调用Kubernetes API 的方式获取信息时，需要使用Kubernetes的Token

1. 创建用户admin-user并授权

   admin-user.yaml

   apiVersion: v1
   kind: ServiceAccount
   metadata:
     name: admin-user
     namespace: kube-system
   ---
   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRoleBinding
   metadata:
     name: admin-user
   roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: ClusterRole
     name: cluster-admin
   subjects:
   - kind: ServiceAccount
     name: admin-user
     namespace: kube-system
   

   [root@kube-master01 token]# kubectl apply -f admin-user.yaml 
   serviceaccount/admin-user created
   

2. 获取用户admin-user对应的用户名

   [root@kube-master01 token]# kubectl get secret -n kube-system|grep admin
   admin-user-token-lw2hn                           kubernetes.io/service-account-token   3      52s
   

3. 查询token内容

   [root@kube-master01 token]# kubectl describe secret admin-user-token-lw2hn -n kube-system
   Name:         admin-user-token-lw2hn
   Namespace:    kube-system
   Labels:       <none>
   Annotations:  kubernetes.io/service-account.name: admin-user
                 kubernetes.io/service-account.uid: c98054ae-83a6-46d8-90a6-6785840d3606
   
   Type:  kubernetes.io/service-account-token
   
   Data
   ====
   ca.crt:     1066 bytes
   namespace:  11 bytes
   token:      eyJhbGciOiJSUzI1NiIsImtpZCI6InpER2hyN1FFVnhfZVhVVElLLUJ6Wm5BM2wtd3NiZzVpV0JRaHBwXzlrbjQifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLWx3MmhuIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJjOTgwNTRhZS04M2E2LTQ2ZDgtOTBhNi02Nzg1ODQwZDM2MDYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06YWRtaW4tdXNlciJ9.W9VtGJR9PIZlRdTT2Z2W4Fe8WC5cYxzLhshMKcbVYkjq9zjXCJyvsjOFlRpvjqS2CF85rAWFfCPSUjoNMBsw9nudmnyykGffAqtOV586ilRe787kz4b-s2FC8EdOkKRYyiL4pMaXMOGQ5-LNRxqqbkvI1z0xRZk3LiZzs2OWDWIxQj7h2NIZKEnRir5oBebOFuyOeIUe4jDp_rBnT0-7oIoMCQ3bSkTwYJUiSu9BOfHXlOq0Nmc-TLGYRetXDHeSwzAiAzAm8_ab0U0UiVsUzghFiAaSROJzs5hFe9cZ4STz3rhWOt4SBw6DtTgyOSdQcm2STWZJxPLQXRpylyTYDQ
   

4. 为了方便，将token赋值TOKEN

   [root@kube-master01 token]# TOKEN=eyJhbGciOiJSUzI1NiIsImtpZCI6InpER2hyN1FFVnhfZVhVVElLLUJ6Wm5BM2wtd3NiZzVpV0JRaHBwXzlrbjQifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLWx3MmhuIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJjOTgwNTRhZS04M2E2LTQ2ZDgtOTBhNi02Nzg1ODQwZDM2MDYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06YWRtaW4tdXNlciJ9.W9VtGJR9PIZlRdTT2Z2W4Fe8WC5cYxzLhshMKcbVYkjq9zjXCJyvsjOFlRpvjqS2CF85rAWFfCPSUjoNMBsw9nudmnyykGffAqtOV586ilRe787kz4b-s2FC8EdOkKRYyiL4pMaXMOGQ5-LNRxqqbkvI1z0xRZk3LiZzs2OWDWIxQj7h2NIZKEnRir5oBebOFuyOeIUe4jDp_rBnT0-7oIoMCQ3bSkTwYJUiSu9BOfHXlOq0Nmc-TLGYRetXDHeSwzAiAzAm8_ab0U0UiVsUzghFiAaSROJzs5hFe9cZ4STz3rhWOt4SBw6DtTgyOSdQcm2STWZJxPLQXRpylyTYDQ
   

5. 通过token获取configz

   curl -k -s https://localhost:10250/configz --header "Authorization: Bearer $TOKEN" |python -m json.tool
   

   可以看到成功获取

   {
       "kubeletconfig": {
           "address": "0.0.0.0",
           "authentication": {
               "anonymous": {
                   "enabled": false
               },
               "webhook": {
                   "cacheTTL": "2m0s",
                   "enabled": true
               },
               "x509": {
                   "clientCAFile": "/etc/kubernetes/pki/ca.crt"
               }
           },
           "authorization": {
               "mode": "Webhook",
               "webhook": {
                   "cacheAuthorizedTTL": "5m0s",
                   "cacheUnauthorizedTTL": "30s"
               }
           },
           "cgroupDriver": "systemd",
           "cgroupsPerQOS": true,
           "clusterDNS": [
               "169.254.25.10"
           ],
           "clusterDomain": "cluster.local",
           "configMapAndSecretChangeDetectionStrategy": "Watch",
           "containerLogMaxFiles": 5,
           "containerLogMaxSize": "10Mi",
           "contentType": "application/vnd.kubernetes.protobuf",
           "cpuCFSQuota": true,
           "cpuCFSQuotaPeriod": "100ms",
           "cpuManagerPolicy": "none",
           "cpuManagerReconcilePeriod": "10s",
           "enableControllerAttachDetach": true,
           "enableDebugFlagsHandler": true,
           "enableDebuggingHandlers": true,
           "enableProfilingHandler": true,
           "enableServer": true,
           "enableSystemLogHandler": true,
           "enforceNodeAllocatable": [
               "pods"
           ],
           "eventBurst": 10,
           "eventRecordQPS": 5,
           "evictionHard": {
               "memory.available": "5%",
               "pid.available": "5%"
           },
           "evictionMaxPodGracePeriod": 120,
           "evictionPressureTransitionPeriod": "30s",
           "evictionSoft": {
               "memory.available": "10%"
           },
           "evictionSoftGracePeriod": {
               "memory.available": "2m"
           },
           "failSwapOn": true,
           "featureGates": {
               "CSIStorageCapacity": true,
               "ExpandCSIVolumes": true,
               "RotateKubeletServerCertificate": true,
               "TTLAfterFinished": true
           },
           "fileCheckFrequency": "20s",
           "hairpinMode": "promiscuous-bridge",
           "healthzBindAddress": "127.0.0.1",
           "healthzPort": 10248,
           "httpCheckFrequency": "20s",
           "imageGCHighThresholdPercent": 85,
           "imageGCLowThresholdPercent": 80,
           "imageMinimumGCAge": "2m0s",
           "iptablesDropBit": 15,
           "iptablesMasqueradeBit": 14,
           "kubeAPIBurst": 10,
           "kubeAPIQPS": 5,
           "kubeReserved": {
               "cpu": "200m",
               "memory": "250Mi"
           },
           "logging": {
               "format": "text"
           },
           "makeIPTablesUtilChains": true,
           "maxOpenFiles": 1000000,
           "maxPods": 110,
           "memoryManagerPolicy": "None",
           "nodeLeaseDurationSeconds": 40,
           "nodeStatusMaxImages": 50,
           "nodeStatusReportFrequency": "5m0s",
           "nodeStatusUpdateFrequency": "10s",
           "oomScoreAdj": -999,
           "podPidsLimit": -1,
           "port": 10250,
           "registryBurst": 10,
           "registryPullQPS": 5,
           "resolvConf": "/etc/resolv.conf",
           "rotateCertificates": true,
           "runtimeRequestTimeout": "2m0s",
           "serializeImagePulls": true,
           "shutdownGracePeriod": "0s",
           "shutdownGracePeriodCriticalPods": "0s",
           "staticPodPath": "/etc/kubernetes/manifests",
           "streamingConnectionIdleTimeout": "4h0m0s",
           "syncFrequency": "1m0s",
           "systemReserved": {
               "cpu": "200m",
               "memory": "250Mi"
           },
           "tlsCertFile": "/var/lib/kubelet/pki/kubelet.crt",
           "tlsPrivateKeyFile": "/var/lib/kubelet/pki/kubelet.key",
           "topologyManagerPolicy": "none",
           "topologyManagerScope": "container",
           "volumePluginDir": "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/",
           "volumeStatsAggPeriod": "1m0s"
       }
   }
   

6. 通过token获取node summary

   curl -k https://127.0.0.1:10250/stats/summary --header "Authorization: Bearer $TOKEN" |python -m json.tool
   

7. 通过token获取cAdvisor 监听

   curl -k https://127.0.0.1:10250/metrics/cadvisor --header "Authorization: Bearer $TOKEN"