k8s长期token的使用方式
# k8s长期token的使用方式
https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#manually-create-an-api-token-for-a-serviceaccount
如官方所说,创建一个ServiceAccount,将它与Secret关联,如下代码:
apiVersion: v1
kind: Secret
metadata:
name: {{ include "sa.serviceAccountName" . }}-secret
annotations:
kubernetes.io/service-account.name: {{ include "sa.serviceAccountName" . }}
type: kubernetes.io/service-account-token
1
2
3
4
5
6
7
2
3
4
5
6
7
使用helm的方式就是这样:(可以使用helm create命令,然后将其它的文件都删除了,只留下serviceaccount.yaml就行,然后再helm install)
serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Release.Name }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-secret
annotations:
kubernetes.io/service-account.name: {{ .Release.Name }}
type: kubernetes.io/service-account-token
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
查看token
kubectl config view |grep server|cut -f 2- -d ":" | tr -d " "
kubectl get secret build-robot-sa-secret -o jsonpath={.data.token} | base64 -d
kubectl get secret build-robot-sa-secret -o jsonpath={.data.ca\\.crt}
1
2
3
4
2
3
4
上次更新: 2024/09/30, 01:34:11