生成集群admin token

在 K8s 中生成集群admin token需要创建一个admin用户并授予admin角色绑定,使用下面的yaml文件创建admin用户并赋予他管理员权限,然后可以通过token访问kubernetes:

  1. kind: ClusterRoleBinding
  2. apiVersion: rbac.authorization.k8s.io/v1beta1
  3. metadata:
  4.   name: admin
  5.   annotations:
  6.     rbac.authorization.kubernetes.io/autoupdate: "true"
  7. roleRef:
  8.   kind: ClusterRole
  9.   name: cluster-admin
  10.   apiGroup: rbac.authorization.k8s.io
  11. subjects:
  12. - kind: ServiceAccount
  13.   name: admin
  14.   namespace: kube-system
  15. ---
  16. apiVersion: v1
  17. kind: ServiceAccount
  18. metadata:
  19.   name: admin
  20.   namespace: kube-system
  21.   labels:
  22.     kubernetes.io/cluster-service: "true"
  23.     addonmanager.kubernetes.io/mode: Reconcile

然后执行下面的命令创建 serviceaccount 和角色绑定:

  1. kubectl create -f admin-role.yaml

创建完成后获取secret中token的值:

  1. # 获取admin-token的secret名字
  2. $ kubectl -n kube-system get secret|grep admin-token
  3. admin-token-nwphb                          kubernetes.io/service-account-token   3         6m
  4. # 获取token的值
  5. $ kubectl -n kube-system describe secret admin-token-nwphb
  6. Name:        admin-token-nwphb
  7. Namespace:    kube-system
  8. Labels:        <none>
  9. Annotations:    kubernetes.io/service-account.name=admin
  10.         kubernetes.io/service-account.uid=f37bd044-bfb3-11e7-87c0-f4e9d49f8ed0
  12. Type:    kubernetes.io/service-account-token
  14. Data
  15. ====
  16. namespace:    11 bytes
  17. token:        非常长的字符串
  18. ca.crt:        1310 bytes