kubernetes获取永久token

概述

1.22 版本之前都是自动创建sa的token，1.22及之后版本永久token需要使用kubernetes.io/service-account-token类型创建secret

步骤

服务账号令牌 Secret

类型为 kubernetes.io/service-account-token 的 Secret 用来存放标识某服务账号的令牌凭据。

说明：

使用这种 Secret 类型时，你需要确保对象的注解 kubernetes.io/service-account-name 被设置为某个已有的服务账号名称。 如果你同时负责 ServiceAccount 和 Secret 对象的创建，应该先创建 ServiceAccount 对象。

当 Secret 对象被创建之后，某个 Kubernetes控制器会填写 Secret 的其它字段，例如 kubernetes.io/service-account.uid 注解以及 data 字段中的 token 键值，使之包含实际的令牌内容。

创建一个sa账号，绑定cluster-admin 权限：

echo "
apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: default
  name: cls-access
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cls-access
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    namespace: default
    name: cls-access
" | kubectl --kubeconfig eks apply -f - 

下面的配置实例声明了一个服务账号令牌 Secret：

apiVersion: v1
kind: Secret
metadata:
  name: cls-access
  annotations:
    kubernetes.io/service-account.name: "cls-access"
type: kubernetes.io/service-account-token
#data:
  # 你可以像 Opaque Secret 一样在这里添加额外的键/值偶对
  #extra: YmFyCg==

创建了 Secret 之后，等待 Kubernetes 在 data 字段中填充 token 主键。

查看token值：

kubectl --kubeconfig eks get secret cls-access -o yaml
#返回结果：
apiVersion: v1
data:
  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJek1EZ3hOekExTkRNeU9Wb1hEVE16TURneE5EQTFORE15T1Zvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBS2tBCnVMVnk2MzY0aHc1MjdhRHgxTTNiNm1FMGlyMWFRSzRpNnlqTkZVeDdSMnc0YXFuZm5XRTlyVjRCYTRmMTFoUEgKVXorWEhhUXFmWUdwcVlFajJMTmdqQ3JJZDQyY29MaHhyWHpKNWtBZnFXUXhRa1U4WXdNZXBVeEhyY1hNSk1tbAp2UEg4WS9OTlFxckV2T0NSdG5taDlPRmNkZ1AvU3ZqSkxMeTBHdkZIM3J1cE9qUUxRcXpWc2F4RDF3cS9FUWFYCkkrRjNjUlZUZ01iRUxjQzRPRzBMR2I3TUdYNXYzTUFyVEhubi9OUGFmMFIwQ01UWmQxbExwRmVidVhRaHlUUXkKR0pyakNsY002YWY4YXlub0dRUnBqNlY3SXpTbGdkUU4xVnk5cndRcDRrVUlCYlpMenRrZVJPODFwZGxLc05lZgpoRVAxKytMcWVtZWVBK0NnZ2UwQ0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZPRXBXR25TTXNRdWNoUmlnaWlTMGEwNU5ZM1JNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSjlJcHVkZEM5OTJlRXlhTVdmVwpTWmdpMklNZUpGOFlkMFVHVVZVYW95dDB4OE9MV1VHUXY3Z1lMKzJ5cTNNb2pFeFdJNkRZMHVveHl0cFVkWE15Cnk1cW9hejFUNExTcFVTSVgyNU0vNS9vYVAvVVpuWU82VmpCcDlIRGZoNElTVHU1VXpEZDFvWnFJZGR0WGNwUEgKMlptemJOaVNZWkFKMTNjczg0Q0NYenNJcjNzbXNkV293VzNiaUN2SFVQV0RWNit4VHV3ditiKzkvbmZITzJYZwpkekkrVDNrN3VNcW1rTitjUVp1THZjMDVqbGc1ajdOamRDcG9GWkw2RVBJSU5NcFFhWExoUmY0NG5DeC8zY1MrCmpKWDVDYk5OTlh2Y01LL25LN3ppQTZkR3lGaXREa2NhTENtSjIzY1ZvY1J0eHdEOFZ5OTJRaHdUN2VpaEZHaWkKc2tBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
  namespace: ZGVmYXVsdA==
  token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNkltdEZhbE41YWkxaldFdFRkSFo1Y1hKalowRm9XRWRHYm1aNFpFZENTRTB3YkhSYWFHSTJkRlJRTmswaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWldaaGRXeDBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbU5zY3kxaFkyTmxjM01pTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxjblpwWTJVdFlXTmpiM1Z1ZEM1dVlXMWxJam9pWTJ4ekxXRmpZMlZ6Y3lJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZ5ZG1salpTMWhZMk52ZFc1MExuVnBaQ0k2SW1ObE1UUmxaREJqTFRsaU9UWXRORFkxWWkxaE16TTVMVEptTmpNM016RXpPV1kzT0NJc0luTjFZaUk2SW5ONWMzUmxiVHB6WlhKMmFXTmxZV05qYjNWdWREcGtaV1poZFd4ME9tTnNjeTFoWTJObGMzTWlmUS54YUNPaU9ELVNHa3BCdk1ta3pnWDVBMTNobzExdE82cW9UWTF2NjA1Y3RDNk43dUlpT0podHJfSDBpWGd4eExUTE1ZdFdCMFNCVkFiU1BKVEpVbUxseDNEakdWZTVmM2FUb05FVC1yOXExVnEtU1I2VmFXb0ZfYlNkcHg0UkpMODBvbjJld3VHV2Y3c3JrLWVKR2xSVHU0eHpFQ04xRVVtWU9QWG4xYWwxMHZFQy0tNzVhUEk5U0NBTFZhMW9FVnkwQTZoM1o3cW5fRVFIcFcxVHYyc0hwOW9yckM4a3VVbi0xWHJ2SzE5bXZxWWV2dWtWVmlKUENiMndoazVQYy04a2IybHNqRjE4NXRZWk5oNVZwTXN5MGxjX01EM2VCWXVYYS1kcXRUWFlnTVFqT2xsa0ZOR1hYZEJmT3VmSUwyUE16UDVCSzFRUS1LbEhqbExDeVBxS0E=
kind: Secret
metadata:
  annotations:
    cpaas.io/creator: kubernetes-admin
    cpaas.io/updated-at: "2023-08-19T05:12:16Z"
    kubernetes.io/service-account.name: cls-access
    kubernetes.io/service-account.uid: ce14ed0c-9b96-465b-a339-2f6373139f78
  creationTimestamp: "2023-08-19T05:12:16Z"
  name: cls-access
  namespace: default
  resourceVersion: "753728"
  uid: 09d696e6-a3ac-4975-8f1e-b67496c3266d
type: kubernetes.io/service-account-token

# base64 解析token
moyu$ kubectl --kubeconfig eks get secret cls-access -o jsonpath='{.data.token}'|base64 -d
#token:
eyJhbGciOiJSUzI1NiIsImtpZCI6ImtFalN5ai1jWEtTdHZ5cXJjZ0FoWEdGbmZ4ZEdCSE0wbHRaaGI2dFRQNk0ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImNscy1hY2Nlc3MiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiY2xzLWFjY2VzcyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImNlMTRlZDBjLTliOTYtNDY1Yi1hMzM5LTJmNjM3MzEzOWY3OCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmNscy1hY2Nlc3MifQ.xaCOiOD-SGkpBvMmkzgX5A13ho11tO6qoTY1v605ctC6N7uIiOJhtr_H0iXgxxLTLMYtWB0SBVAbSPJTJUmLlx3DjGVe5f3aToNET-r9q1Vq-SR6VaWoF_bSdpx4RJL80on2ewuGWf7srk-eJGlRTu4xzECN1EUmYOPXn1al10vEC--75aPI9SCALVa1oEVy0A6h3Z7qn_EQHpW1Tv2sHp9orrC8kuUn-1XrvK19mvqYevukVViJPCb2whk5Pc-8kb2lsjF185tYZNh5VpMsy0lc_MD3eBYuXa-dqtTXYgMQjOllkFNGXXdBfOufIL2PMzP5BK1QQ-KlHjlLCyPqKA