by 0 comments on "使用token访问apiserver"

使用token访问apiserver

  1. 生成token
head -c 16 /dev/urandom | od -An -t x | tr -d ' '
  1. 将生成token_auth
4288abaa5b9552d2bbecb7103ffc9974,bigdaddy,1
  1. 在apiserver上添加选项
- --token-auth-file=/etc/kubernetes/pki/token_auth
  1. 给user bigdaddy生成权限
# cat bigdaddy.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bigdaddy-admin-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: bigdaddy
  1. 测试

不加token的,会提示没有权限

# curl  https://172.24.18.163:6443/api -k
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/api\"",
  "reason": "Forbidden",
  "details": {

  },
  "code": 403
}

加上token的,会访问正常

# curl -H "Authorization:Bearer 4288abaa5b9552d2bbecb7103ffc9974"  https://172.24.18.163:6443/api -k
{
  "kind": "APIVersions",
  "versions": [
    "v1"
  ],
  "serverAddressByClientCIDRs": [
    {
      "clientCIDR": "0.0.0.0/0",
      "serverAddress": "172.24.18.163:6443"
    }
  ]
}
Post Views: 1,203

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注