一、前置条件和说明:
1.已安装k3s,并完成kubeconfig配置
2.k8s1.24之后的版本,创建service account时,不会自动创建secret,需要手工创建secret
二、步骤
1.创建service account
apiVersion: v1 kind: ServiceAccount metadata: name: apiserver-sa namespace: kube-system
2.创建高权限的cluster role
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-admin rules: - apiGroups: ["*"] resources: ["*"] verbs: ["*"]
3.service account与cluster role进行绑定
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: api-admin-bind roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: apiserver-sa namespace: kube-system
4.手工创建secret(会自动分配token)
apiVersion: v1
kind: Secret
metadata:
name: apiserver-token-secret
namespace: kube-system
annotations:
kubernetes.io/service-account.name: "apiserver-sa" #对应步骤1中创建的service name
type: kubernetes.io/service-account-token
5.secret中的token是base64编码的,解码后保存到token.txt,供后续使用
kubectl -n kube-system get secrets apiserver-token-secret -o jsonpath='{.data.token}'|base64 -d > token.txt
6.通过curl访问apiserver
curl -H "Authorization: Bearer $(cat token.txt)" -k https://127.0.0.1:6443/api/v1/namespaces/kube-system
7.其他
确定apiserver地址: 127.0.0.1:6443为apiserver地址。可以通过kubectl查看具体环境的apiserver地址kubectl cluster-info
标签:kind,调用,name,service,secret,apiserver,token From: https://www.cnblogs.com/danny-djy/p/18297805