背景说明
解决方案
服务账号
资源创建
创建文件jumpserver-admin.yaml ,文件内容如下
apiVersion: v1
kind: ServiceAccount
metadata:
name: jumpserver-admin
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: jumpserver-admin
namespace: kube-system
subjects:
- kind: ServiceAccount
name: jumpserver-admin
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
通过命令创建服务账号
~ # kubectl apply -f jumpserver-admin.yaml
serviceaccount/jumpserver-admin unchanged
clusterrolebinding.rbac.authorization.k8s.io/jumpserver-admin created
~ #
查看账号
~ # kubectl get sa -n kube-system |grep jump
jumpserver-admin 1 4m30s
~ # kubectl get secrets -n kube-system |grep jump
jumpserver-admin-token-qm5f4 kubernetes.io/service-account-token 3 4m53s
~ #
查看Token
~ # kubectl get secrets -n kube-system jumpserver-admin-token-qm5f4 -o jsonpath={.data.token}
ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNkluWXpVVWt4ZDFsWVRYZFhMWHBSYzNkNU1uWlRWSFpyUlhSb1QzWmtReTFPZFRKTlZHNVBRa1phTjFFaWZR
LmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZ
VzFsYzNCaFkyVWlPaUpyZFdKbExYTjVjM1JsYlNJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZqY21WMExtNWhiV1VpT2lK
cWRXMXdjMlZ5ZG1WeUxXRmtiV2x1TFhSdmEyVnVMWEZ0TldZMElpd2lhM1ZpWlhKdVpYUmxjeTVwYnk5elpYSjJhV05sWVdOamIzVnVkQzl6WlhKMmFXTmxM
V0ZqWTI5MWJuUXVibUZ0WlNJNkltcDFiWEJ6WlhKMlpYSXRZV1J0YVc0aUxDSnJkV0psY201bGRHVnpMbWx2TDNObGNuWnBZMlZoWTJOdmRXNTBMM05sY25a
cFkyVXRZV05qYjNWdWRDNTFhV1FpT2lKbU5UVTFPREJqTkMwM1kyTmlMVFExTkRJdE9XTmhOUzFtWlRneE9EbGpOV0l4WW1VaUxDSnpkV0lpT2lKemVYTjBa
VzA2YzJWeWRtbGpaV0ZqWTI5MWJuUTZhM1ZpWlMxemVYTjBaVzA2YW5WdGNITmxjblpsY2kxaFpHMXBiaUo5LnRiSG5jdWxRYVo2ZnV4VHVDc0tBNFQ5V3Rp
VjdDSGhmeFB2M1hCX2ZMeFdobmdPUUdUdU4xSWNnLTRUelUxZDEzRGlVd1ZKVDJNNkp2d1VwT0VYN2M1NUR3RW9vS2dIdG4xam5OYnplUFBSbnRuRlpHUzF5
bUFWbDkyd2pNWC1oZ2tMTkI3R25yYWt1LWRfeFlaMVRBWG15dHJWbUN1cVA4ZEdiVmN6dlV5YkY5d2g3S3pmU3NHRlVyb2Q3TmdfU005VEFQb3lFdXRyWTlQ
M3lVY3pXTXM1LWZMRFV5YnRhVjRtY3BqS3F0LUVrQThjX1B1c2xiSGRza2plMHZXMEwyellaSDJ3dW9wVVBKLXliU1JYbG1sTjZ4cUNOamJGNDhNZTZSMzR5
LUQ0X3RLc2pNQlNGME9JMVhYZVA2dGFRVVcxN3dQTmNZdHpvRTZLS1RRRExxUQ==
~ # s
转码Token
~ # kubectl get secrets -n kube-system jumpserver-admin-token-qm5f4 -o jsonpath={.data.token} |base64 -d
eyJhbGciOiJSUzI1NiIsImtpZCI6InYzUUkxd1lYTXdXLXpRc3d5MnZTVHZrRXRoT3ZkQy1OdTJNVG5PQkZaN1EifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJqdW1wc2VydmVyLWFkbWluLXRva2VuLXFtNWY0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6Imp1bXBzZXJ2ZXItYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJmNTU1ODBjNC03Y2NiLTQ1NDItOWNhNS1mZTgxODljNWIxYmUiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06anVtcHNlcnZlci1hZG1pbiJ9.tbHnculQaZ6fuxTuCsKA4T9WtiV7CHhfxPv3XB_fLxWhngOQGTuN1Icg-4TzU1d13DiUwVJT2M6JvwUpOEX7c55DwEooKgHtn1jnNbzePPRntnFZGS1ymAVl92wjMX-hgkLNB7Gnraku-d_xYZ1TAXmytrVmCuqP8dGbVczvUybF9wh7KzfSsGFUrod7Ng_SM9TAPoyEutrY9P3yUczWMs5-fLDUybtaV4mcpjKqt-EkA8c_PuslbHdskje0vW0L2zYZH2wuopUPJ-ybSRXlmlN6xqCNjbF48Me6R34y-D4_tKsjMBSF0OI1XXeP6taQUW17wPNcYtzoE6KKTQDLqQ
~ #
验证Token
[root@template ~]# curl -k -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6InYzUUkxd1lYTXdXLXpRc3d5MnZTVHZrRXRoT3ZkQy1OdTJNVG5PQkZaN1EifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJqdW1wc2VydmVyLWFkbWluLXRva2VuLXFtNWY0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6Imp1bXBzZXJ2ZXItYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJmNTU1ODBjNC03Y2NiLTQ1NDItOWNhNS1mZTgxODljNWIxYmUiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06anVtcHNlcnZlci1hZG1pbiJ9.tbHnculQaZ6fuxTuCsKA4T9WtiV7CHhfxPv3XB_fLxWhngOQGTuN1Icg-4TzU1d13DiUwVJT2M6JvwUpOEX7c55DwEooKgHtn1jnNbzePPRntnFZGS1ymAVl92wjMX-hgkLNB7Gnraku-d_xYZ1TAXmytrVmCuqP8dGbVczvUybF9wh7KzfSsGFUrod7Ng_SM9TAPoyEutrY9P3yUczWMs5-fLDUybtaV4mcpjKqt-EkA8c_PuslbHdskje0vW0L2zYZH2wuopUPJ-ybSRXlmlN6xqCNjbF48Me6R34y-D4_tKsjMBSF0OI1XXeP6taQUW17wPNcYtzoE6KKTQDLqQ' https://172.28.165.239:6443
{
"paths": [
"/.well-known/openid-configuration",
"/api",
"/api/v1",
"/apis",
"/apis/",
"/apis/admissionregistration.k8s.io",
"/apis/admissionregistration.k8s.io/v1",
"/apis/admissionregistration.k8s.io/v1beta1",
"/apis/apiextensions.k8s.io",
"/apis/apiextensions.k8s.io/v1",
"/apis/apiextensions.k8s.io/v1beta1",
"/apis/apiregistration.k8s.io",
"/apis/apiregistration.k8s.io/v1",
"/apis/apiregistration.k8s.io/v1beta1",
"/apis/apps",
"/apis/apps/v1",
"/apis/authentication.k8s.io",
"/apis/authentication.k8s.io/v1",
"/apis/authentication.k8s.io/v1beta1",
"/apis/authorization.k8s.io",
"/apis/authorization.k8s.io/v1",
"/apis/authorization.k8s.io/v1beta1",
"/apis/autoscaling",
"/apis/autoscaling/v1",
"/apis/autoscaling/v2beta1",
"/apis/autoscaling/v2beta2",
"/apis/batch",
"/apis/batch/v1",
"/apis/batch/v1beta1",
"/apis/certificates.k8s.io",
"/apis/certificates.k8s.io/v1",
"/apis/certificates.k8s.io/v1beta1",
"/apis/coordination.k8s.io",
"/apis/coordination.k8s.io/v1",
"/apis/coordination.k8s.io/v1beta1",
"/apis/discovery.k8s.io",
"/apis/discovery.k8s.io/v1",
"/apis/discovery.k8s.io/v1beta1",
"/apis/events.k8s.io",
"/apis/events.k8s.io/v1",
"/apis/events.k8s.io/v1beta1",
"/apis/extensions",
"/apis/extensions/v1beta1",
"/apis/flowcontrol.apiserver.k8s.io",
"/apis/flowcontrol.apiserver.k8s.io/v1beta1",
"/apis/helm.cattle.io",
"/apis/helm.cattle.io/v1",
"/apis/k3s.cattle.io",
"/apis/k3s.cattle.io/v1",
"/apis/metrics.k8s.io",
"/apis/metrics.k8s.io/v1beta1",
"/apis/networking.k8s.io",
"/apis/networking.k8s.io/v1",
"/apis/networking.k8s.io/v1beta1",
"/apis/node.k8s.io",
"/apis/node.k8s.io/v1",
"/apis/node.k8s.io/v1beta1",
"/apis/policy",
"/apis/policy/v1",
"/apis/policy/v1beta1",
"/apis/rbac.authorization.k8s.io",
"/apis/rbac.authorization.k8s.io/v1",
"/apis/rbac.authorization.k8s.io/v1beta1",
"/apis/scheduling.k8s.io",
"/apis/scheduling.k8s.io/v1",
"/apis/scheduling.k8s.io/v1beta1",
"/apis/storage.k8s.io",
"/apis/storage.k8s.io/v1",
"/apis/storage.k8s.io/v1beta1",
"/apis/traefik.containo.us",
"/apis/traefik.containo.us/v1alpha1",
"/healthz",
"/healthz/autoregister-completion",
"/healthz/etcd",
"/healthz/log",
"/healthz/ping",
"/healthz/poststarthook/aggregator-reload-proxy-client-cert",
"/healthz/poststarthook/apiservice-openapi-controller",
"/healthz/poststarthook/apiservice-registration-controller",
"/healthz/poststarthook/apiservice-status-available-controller",
"/healthz/poststarthook/bootstrap-controller",
"/healthz/poststarthook/crd-informer-synced",
"/healthz/poststarthook/generic-apiserver-start-informers",
"/healthz/poststarthook/kube-apiserver-autoregistration",
"/healthz/poststarthook/priority-and-fairness-config-consumer",
"/healthz/poststarthook/priority-and-fairness-config-producer",
"/healthz/poststarthook/priority-and-fairness-filter",
"/healthz/poststarthook/rbac/bootstrap-roles",
"/healthz/poststarthook/scheduling/bootstrap-system-priority-classes",
"/healthz/poststarthook/start-apiextensions-controllers",
"/healthz/poststarthook/start-apiextensions-informers",
"/healthz/poststarthook/start-cluster-authentication-info-controller",
"/healthz/poststarthook/start-kube-aggregator-informers",
"/healthz/poststarthook/start-kube-apiserver-admission-initializer",
"/livez",
"/livez/autoregister-completion",
"/livez/etcd",
"/livez/log",
"/livez/ping",
"/livez/poststarthook/aggregator-reload-proxy-client-cert",
"/livez/poststarthook/apiservice-openapi-controller",
"/livez/poststarthook/apiservice-registration-controller",
"/livez/poststarthook/apiservice-status-available-controller",
"/livez/poststarthook/bootstrap-controller",
"/livez/poststarthook/crd-informer-synced",
"/livez/poststarthook/generic-apiserver-start-informers",
"/livez/poststarthook/kube-apiserver-autoregistration",
"/livez/poststarthook/priority-and-fairness-config-consumer",
"/livez/poststarthook/priority-and-fairness-config-producer",
"/livez/poststarthook/priority-and-fairness-filter",
"/livez/poststarthook/rbac/bootstrap-roles",
"/livez/poststarthook/scheduling/bootstrap-system-priority-classes",
"/livez/poststarthook/start-apiextensions-controllers",
"/livez/poststarthook/start-apiextensions-informers",
"/livez/poststarthook/start-cluster-authentication-info-controller",
"/livez/poststarthook/start-kube-aggregator-informers",
"/livez/poststarthook/start-kube-apiserver-admission-initializer",
"/logs",
"/metrics",
"/openapi/v2",
"/openid/v1/jwks",
"/readyz",
"/readyz/autoregister-completion",
"/readyz/etcd",
"/readyz/informer-sync",
"/readyz/log",
"/readyz/ping",
"/readyz/poststarthook/aggregator-reload-proxy-client-cert",
"/readyz/poststarthook/apiservice-openapi-controller",
"/readyz/poststarthook/apiservice-registration-controller",
"/readyz/poststarthook/apiservice-status-available-controller",
"/readyz/poststarthook/bootstrap-controller",
"/readyz/poststarthook/crd-informer-synced",
"/readyz/poststarthook/generic-apiserver-start-informers",
"/readyz/poststarthook/kube-apiserver-autoregistration",
"/readyz/poststarthook/priority-and-fairness-config-consumer",
"/readyz/poststarthook/priority-and-fairness-config-producer",
"/readyz/poststarthook/priority-and-fairness-filter",
"/readyz/poststarthook/rbac/bootstrap-roles",
"/readyz/poststarthook/scheduling/bootstrap-system-priority-classes",
"/readyz/poststarthook/start-apiextensions-controllers",
"/readyz/poststarthook/start-apiextensions-informers",
"/readyz/poststarthook/start-cluster-authentication-info-controller",
"/readyz/poststarthook/start-kube-aggregator-informers",
"/readyz/poststarthook/start-kube-apiserver-admission-initializer",
"/readyz/shutdown",
"/version"
]
}
[root@template ~]#