- 先创建sa、cr、crb
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: myk8sadmin-cluser-bigdaddy
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluser-bigdaddy
subjects:
- kind: ServiceAccount
name: myk8sadmin
namespace: default
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: cluser-bigdaddy
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'
---
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: default
name: myk8sadmin
- 根据sa获取到token
kubectl get secret myk8sadmin-token-pnn48 -o jsonpath={".data.token"}| base64 -d
- 代码中使用
var K8sClient *kubernetes.Clientset
func init() {
config:=&rest.Config{
Host:"http://apiserver的地址:9527",
BearerToken:"第2步得到的token",
}
c,err:=kubernetes.NewForConfig(config)
if err!=nil{
log.Fatalln(err)
}
K8sClient =c
}
这个代码是用的token的方式,还可以直接使用kubeconfig的方式来生成config。如下所示:
//获取clientset
func GetClient() (*kubernetes.Clientset, error) {
fmt.Println()
var err error
var config *rest.Config
var kubeconfig *string
if home := homedir.HomeDir(); home != "" {
kubeconfig = flag.String("kubeconfig", filepath.Join(home, ".kube", "config"), "kubeconfig的绝对路径")
} else {
kubeconfig = flag.String("kubeconfig", "", "absolute path to the kubeconfig file")
}
flag.Parse()
//in-cluster就是客户端程序跑在k8s集群内,通常使用service account进行客户端初始化。
//out-of-cluster是客户端程序跑在集群外,通过kubeconfig文件去初始化客户端。
//使用 ServiceAccount 创建集群配置(InCluster模式)
if config, err = rest.InClusterConfig(); err != nil {
// 使用 KubeConfig 文件创建集群配置
if config, err = clientcmd.BuildConfigFromFlags("", *kubeconfig); err != nil {
panic(err.Error())
}
}
// 创建 clientset
clientset, err := kubernetes.NewForConfig(config)
if err != nil {
return nil,err
}
return clientset,nil
}