kubernetes获取永久token
概述
1.22 版本之前都是自动创建sa的token,1.22及之后版本永久token需要使用kubernetes.io/service-account-token类型创建secret
步骤
服务账号令牌 Secret
类型为 kubernetes.io/service-account-token 的 Secret 用来存放标识某服务账号的令牌凭据。
说明:
使用这种 Secret 类型时,你需要确保对象的注解 kubernetes.io/service-account-name 被设置为某个已有的服务账号名称。 如果你同时负责 ServiceAccount 和 Secret 对象的创建,应该先创建 ServiceAccount 对象。
当 Secret 对象被创建之后,某个 Kubernetes控制器会填写 Secret 的其它字段,例如 kubernetes.io/service-account.uid 注解以及 data 字段中的 token 键值,使之包含实际的令牌内容。
创建一个sa账号,绑定cluster-admin 权限:
echo "
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: default
name: cls-access
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cls-access
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
namespace: default
name: cls-access
" | kubectl --kubeconfig eks apply -f -
下面的配置实例声明了一个服务账号令牌 Secret:
apiVersion: v1
kind: Secret
metadata:
name: cls-access
annotations:
kubernetes.io/service-account.name: "cls-access"
type: kubernetes.io/service-account-token
#data:
# 你可以像 Opaque Secret 一样在这里添加额外的键/值偶对
#extra: YmFyCg==
创建了 Secret 之后,等待 Kubernetes 在 data 字段中填充 token 主键。
查看token值:
kubectl --kubeconfig eks get secret cls-access -o yaml
#返回结果:
apiVersion: v1
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJek1EZ3hOekExTkRNeU9Wb1hEVE16TURneE5EQTFORE15T1Zvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBS2tBCnVMVnk2MzY0aHc1MjdhRHgxTTNiNm1FMGlyMWFRSzRpNnlqTkZVeDdSMnc0YXFuZm5XRTlyVjRCYTRmMTFoUEgKVXorWEhhUXFmWUdwcVlFajJMTmdqQ3JJZDQyY29MaHhyWHpKNWtBZnFXUXhRa1U4WXdNZXBVeEhyY1hNSk1tbAp2UEg4WS9OTlFxckV2T0NSdG5taDlPRmNkZ1AvU3ZqSkxMeTBHdkZIM3J1cE9qUUxRcXpWc2F4RDF3cS9FUWFYCkkrRjNjUlZUZ01iRUxjQzRPRzBMR2I3TUdYNXYzTUFyVEhubi9OUGFmMFIwQ01UWmQxbExwRmVidVhRaHlUUXkKR0pyakNsY002YWY4YXlub0dRUnBqNlY3SXpTbGdkUU4xVnk5cndRcDRrVUlCYlpMenRrZVJPODFwZGxLc05lZgpoRVAxKytMcWVtZWVBK0NnZ2UwQ0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZPRXBXR25TTXNRdWNoUmlnaWlTMGEwNU5ZM1JNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSjlJcHVkZEM5OTJlRXlhTVdmVwpTWmdpMklNZUpGOFlkMFVHVVZVYW95dDB4OE9MV1VHUXY3Z1lMKzJ5cTNNb2pFeFdJNkRZMHVveHl0cFVkWE15Cnk1cW9hejFUNExTcFVTSVgyNU0vNS9vYVAvVVpuWU82VmpCcDlIRGZoNElTVHU1VXpEZDFvWnFJZGR0WGNwUEgKMlptemJOaVNZWkFKMTNjczg0Q0NYenNJcjNzbXNkV293VzNiaUN2SFVQV0RWNit4VHV3ditiKzkvbmZITzJYZwpkekkrVDNrN3VNcW1rTitjUVp1THZjMDVqbGc1ajdOamRDcG9GWkw2RVBJSU5NcFFhWExoUmY0NG5DeC8zY1MrCmpKWDVDYk5OTlh2Y01LL25LN3ppQTZkR3lGaXREa2NhTENtSjIzY1ZvY1J0eHdEOFZ5OTJRaHdUN2VpaEZHaWkKc2tBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
namespace: ZGVmYXVsdA==
token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNkltdEZhbE41YWkxaldFdFRkSFo1Y1hKalowRm9XRWRHYm1aNFpFZENTRTB3YkhSYWFHSTJkRlJRTmswaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWldaaGRXeDBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbU5zY3kxaFkyTmxjM01pTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxjblpwWTJVdFlXTmpiM1Z1ZEM1dVlXMWxJam9pWTJ4ekxXRmpZMlZ6Y3lJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZ5ZG1salpTMWhZMk52ZFc1MExuVnBaQ0k2SW1ObE1UUmxaREJqTFRsaU9UWXRORFkxWWkxaE16TTVMVEptTmpNM016RXpPV1kzT0NJc0luTjFZaUk2SW5ONWMzUmxiVHB6WlhKMmFXTmxZV05qYjNWdWREcGtaV1poZFd4ME9tTnNjeTFoWTJObGMzTWlmUS54YUNPaU9ELVNHa3BCdk1ta3pnWDVBMTNobzExdE82cW9UWTF2NjA1Y3RDNk43dUlpT0podHJfSDBpWGd4eExUTE1ZdFdCMFNCVkFiU1BKVEpVbUxseDNEakdWZTVmM2FUb05FVC1yOXExVnEtU1I2VmFXb0ZfYlNkcHg0UkpMODBvbjJld3VHV2Y3c3JrLWVKR2xSVHU0eHpFQ04xRVVtWU9QWG4xYWwxMHZFQy0tNzVhUEk5U0NBTFZhMW9FVnkwQTZoM1o3cW5fRVFIcFcxVHYyc0hwOW9yckM4a3VVbi0xWHJ2SzE5bXZxWWV2dWtWVmlKUENiMndoazVQYy04a2IybHNqRjE4NXRZWk5oNVZwTXN5MGxjX01EM2VCWXVYYS1kcXRUWFlnTVFqT2xsa0ZOR1hYZEJmT3VmSUwyUE16UDVCSzFRUS1LbEhqbExDeVBxS0E=
kind: Secret
metadata:
annotations:
cpaas.io/creator: kubernetes-admin
cpaas.io/updated-at: "2023-08-19T05:12:16Z"
kubernetes.io/service-account.name: cls-access
kubernetes.io/service-account.uid: ce14ed0c-9b96-465b-a339-2f6373139f78
creationTimestamp: "2023-08-19T05:12:16Z"
name: cls-access
namespace: default
resourceVersion: "753728"
uid: 09d696e6-a3ac-4975-8f1e-b67496c3266d
type: kubernetes.io/service-account-token
# base64 解析token
moyu$ kubectl --kubeconfig eks get secret cls-access -o jsonpath='{.data.token}'|base64 -d
#token:
eyJhbGciOiJSUzI1NiIsImtpZCI6ImtFalN5ai1jWEtTdHZ5cXJjZ0FoWEdGbmZ4ZEdCSE0wbHRaaGI2dFRQNk0ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImNscy1hY2Nlc3MiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiY2xzLWFjY2VzcyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImNlMTRlZDBjLTliOTYtNDY1Yi1hMzM5LTJmNjM3MzEzOWY3OCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmNscy1hY2Nlc3MifQ.xaCOiOD-SGkpBvMmkzgX5A13ho11tO6qoTY1v605ctC6N7uIiOJhtr_H0iXgxxLTLMYtWB0SBVAbSPJTJUmLlx3DjGVe5f3aToNET-r9q1Vq-SR6VaWoF_bSdpx4RJL80on2ewuGWf7srk-eJGlRTu4xzECN1EUmYOPXn1al10vEC--75aPI9SCALVa1oEVy0A6h3Z7qn_EQHpW1Tv2sHp9orrC8kuUn-1XrvK19mvqYevukVViJPCb2whk5Pc-8kb2lsjF185tYZNh5VpMsy0lc_MD3eBYuXa-dqtTXYgMQjOllkFNGXXdBfOufIL2PMzP5BK1QQ-KlHjlLCyPqKA