k8s查看用户的token并验证

最新推荐文章于 2024-05-05 14:30:00 发布
最新推荐文章于 2024-05-05 14:30:00 发布
阅读量1.5w 收藏 15
点赞数 2
分类专栏: linux K8s
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/lanwp5302/article/details/88749816
版权
linux 同时被 2 个专栏收录
43 篇文章 0 订阅
订阅专栏
K8s
17 篇文章 0 订阅
订阅专栏

参考 k8s使用ServiceAccount Token的方式访问apiserver

kube-dns查看token

serviceaccounts (aka 'sa')

查看账号

    #查看所有账号
[root@docker176 kubernetes]# kubectl -n kube-system get sa
NAME                       SECRETS   AGE
calico-cni-plugin          1         2d
calico-policy-controller   1         2d
default                    1         124d
heapster                   1         55d
kube-dns                   1         2d

# 查看指定账号
kubectl -n kube-system get sa  kube-dns

取得secrets

kubectl -n kube-system get sa kube-dns -o yaml 取得secrets

[root@docker176 ~]# kubectl -n kube-system get sa  kube-dns -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: 2019-04-12T12:32:49Z
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
    kubernetes.io/cluster-service: "true"
  name: kube-dns
  namespace: kube-system
  resourceVersion: "16174692"
  selfLink: /api/v1/namespaces/kube-system/serviceaccounts/kube-dns
  uid: 1557807a-5d1f-11e9-9df3-000c2938862c
secrets:
- name: kube-dns-token-rst6j

secrets值为kube-dns-token-rst6j

取得token

kubectl get secrets kube-dns-token-rst6j -n kube-system -oyaml

[root@docker176 kubernetes]# kubectl get secrets kube-dns-token-rst6j -n kube-system -oyaml  
apiVersion: v1
data:
  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURYekNDQWtlZ0F3SUJBZ0lKQU1jc1NWdStDcEkxTUEwR0NTcUdTSWIzRFFFQkN3VUFNQ1F4SWpBZ0JnTlYKQkFNTUdURTVNaTR4TmpndU1UUXVNVGMxUURFMU5UVXdNemt3TWpVd0hoY05NVGt3TkRFeU1ETXhOekExV2hjTgpNamt3TkRBNU1ETXhOekExV2pBa01TSXdJQVlEVlFRRERCa3hPVEl1TVRZNExqRTBMakUzTlVBeE5UVTFNRE01Ck1ESTFNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXJNaGJNSmN2NGgrZVBBa3IKbFF0dW9ZSlZLZTZqTEFVM1VvRENIRlkxTndSQ1p2Zit2ZEh5NVMxZWJOdGxOak4vdjgvWlpLRllEMG5qWDl3NQpKMWJpK3NhWnh2Y3gza28wdzN3OXo1WTlvRGNQMDNSVE85U2o3VXd1M3JBa3E2UGRVdzBIbGV0RWcyYURjcjQyCmR3U0g2ZTI1L2NlbEQ3ZUN0WDJZdk0xRHFBcllTcFpmNjJVZC9idmpqd05Hc2JxVjBBY0toN09Gckp1U0hFbGoKMVQyT2FoR3V5TW1GWk5hWG5lZ0lYR2pWems1NnZpdEsxRUhoUG05VnA5MHFFK0VSNk1yMS9FSTVReG1XdHJsYQpQcm1MaGhPaEd0WTRjTUNReEVvZGpIQkdFNEtNU2lBNVZPUExYNkZJR0RJVHVRbVhjSGNTV2JlWmR5aEYraitMCm9jUC9tUUlEQVFBQm80R1RNSUdRTUIwR0ExVWREZ1FXQkJRZ0srZk9TT3p0elB0MWFKSlBaL2pYYllpT3pUQlUKQmdOVkhTTUVUVEJMZ0JRZ0srZk9TT3p0elB0MWFKSlBaL2pYYllpT3phRW9wQ1l3SkRFaU1DQUdBMVVFQXd3WgpNVGt5TGpFMk9DNHhOQzR4TnpWQU1UVTFOVEF6T1RBeU5ZSUpBTWNzU1Z1K0NwSTFNQXdHQTFVZEV3UUZNQU1CCkFmOHdDd1lEVlIwUEJBUURBZ0VHTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBd1FFNEM3Mkk0MlNLSkg0ZnIKU0QvNnpwQXZUT3p0VjVPZUkyWWZSQ0t6NitObll1OHdCbE1xYTJUaS8yMnZ0U2JHVUdsRFROenhvVWdJbW5McwpOMjkzRXgxRUFaVUE2THJ2WWM3MnRlYS9SekVzaG5ROFBTQ2VPTXlndFJvVVdENU9YZmxsU2o3cTFWdy9zL3VOCmtMa1RYMjhGQ2VKeDhXTG5vSFZXUmN1eHRUWW1Ec1VKOWgzaGNrVHIwYXFSV0NMYldudHoyNW5IdG1LZmNqa2QKa3pwQkJsMzRJRDE2S3BOTWNIZnAydXFKQUhHd1NHdnVIN0tYWmxkcXo1QyswVkZPcFk4VThVYi9LS0tCS2tYRAo3YXFSSFhEdkxYdHMyM0N4cXJFOHI0ZzcyV3BWL01WbUN0WHl5Z0NMYjVUTFMwYU85MjZmaUt4dWFtNEw4VWNCCllFZEYKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  namespace: a3ViZS1zeXN0ZW0=
  token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUpyZFdKbExYTjVjM1JsYlNJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZqY21WMExtNWhiV1VpT2lKcmRXSmxMV1J1Y3kxMGIydGxiaTF5YzNRMmFpSXNJbXQxWW1WeWJtVjBaWE11YVc4dmMyVnlkbWxqWldGalkyOTFiblF2YzJWeWRtbGpaUzFoWTJOdmRXNTBMbTVoYldVaU9pSnJkV0psTFdSdWN5SXNJbXQxWW1WeWJtVjBaWE11YVc4dmMyVnlkbWxqWldGalkyOTFiblF2YzJWeWRtbGpaUzFoWTJOdmRXNTBMblZwWkNJNklqRTFOVGM0TURkaExUVmtNV1l0TVRGbE9TMDVaR1l6TFRBd01HTXlPVE00T0RZeVl5SXNJbk4xWWlJNkluTjVjM1JsYlRwelpYSjJhV05sWVdOamIzVnVkRHByZFdKbExYTjVjM1JsYlRwcmRXSmxMV1J1Y3lKOS5qSEFVNmEycEE0WWFKWDBDajJDMGZLR3RvUE8wdjRFLUpMN1A4eDA5amhTc3hvMTVYdEMtcS1zRWRVT1N6NE9ZYTl3TzNaWjRNZkNTak5DSnUxVGJsaml1REprMmZvUFdJb0hsTXZBUFY3ME5PVnY0Um1BdEpxZ0l1ZXF2LW1hRVFkb2lZN2syZW9BOFZIaHBVWGVmY3Q2TUE0WUplUjlpNkZtRzNzb2RjdWo5blU5TlhBeXhhbzV3U2RZMlBlWEtaQVZFS3pMZXRjb3YxSmZFSEZpNDFjc0dkbjEwRmdZUlNWVTE5ZlNWUzVDOGwzMGE1cXlCWVRCS3o1U1M0SjdUMFprQ0lPRDdaV3RMTnNMLXNHTThhRE12V1VwUW51d3ZQX3ZpcmFpR1cxU2xVLUVmc29jT1RjajVKRXctWEZXUzRtcklaNXM0T3BwNUhZSFU1Z2d2LVE=
kind: Secret
metadata:
  annotations:
    kubernetes.io/service-account.name: kube-dns
    kubernetes.io/service-account.uid: 1557807a-5d1f-11e9-9df3-000c2938862c
  creationTimestamp: 2019-04-12T12:32:49Z
  name: kube-dns-token-rst6j
  namespace: kube-system
  resourceVersion: "16174691"
  selfLink: /api/v1/namespaces/kube-system/secrets/kube-dns-token-rst6j
  uid: 155b7304-5d1f-11e9-9df3-000c2938862c
type: kubernetes.io/service-account-token

取得token并解码

取得token值

kubectl get secret kube-dns-token-rst6j -n kube-system -o jsonpath={".data.token"}

[root@docker176 kubernetes]# kubectl get secret kube-dns-token-rst6j -n kube-system -o jsonpath={".data.token"}
ZXlKaGJHY2lPaUpTVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUpyZFdKbExYTjVjM1JsYlNJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZqY21WMExtNWhiV1VpT2lKcmRXSmxMV1J1Y3kxMGIydGxiaTF5YzNRMmFpSXNJbXQxWW1WeWJtVjBaWE11YVc4dmMyVnlkbWxqWldGalkyOTFiblF2YzJWeWRtbGpaUzFoWTJOdmRXNTBMbTVoYldVaU9pSnJkV0psTFdSdWN5SXNJbXQxWW1WeWJtVjBaWE11YVc4dmMyVnlkbWxqWldGalkyOTFiblF2YzJWeWRtbGpaUzFoWTJOdmRXNTBMblZwWkNJNklqRTFOVGM0TURkaExUVmtNV1l0TVRGbE9TMDVaR1l6TFRBd01HTXlPVE00T0RZeVl5SXNJbk4xWWlJNkluTjVjM1JsYlRwelpYSjJhV05sWVdOamIzVnVkRHByZFdKbExYTjVjM1JsYlRwcmRXSmxMV1J1Y3lKOS5qSEFVNmEycEE0WWFKWDBDajJDMGZLR3RvUE8wdjRFLUpMN1A4eDA5amhTc3hvMTVYdEMtcS1zRWRVT1N6NE9ZYTl3TzNaWjRNZkNTak5DSnUxVGJsaml1REprMmZvUFdJb0hsTXZBUFY3ME5PVnY0Um1BdEpxZ0l1ZXF2LW1hRVFkb2lZN2syZW9BOFZIaHBVWGVmY3Q2TUE0WUplUjlpNkZtRzNzb2RjdWo5blU5TlhBeXhhbzV3U2RZMlBlWEtaQVZFS3pMZXRjb3YxSmZFSEZpNDFjc0dkbjEwRmdZUlNWVTE5ZlNWUzVDOGwzMGE1cXlCWVRCS3o1U1M0SjdUMFprQ0lPRDdaV3RMTnNMLXNHTThhRE12V1VwUW51d3ZQX3ZpcmFpR1cxU2xVLUVmc29jT1RjajVKRXctWEZXUzRtcklaNXM0T3BwNUhZSFU1Z2d2LVE=

tokne转码

kubectl get secret kube-dns-token-rst6j -n kube-system -o jsonpath={".data.token"}| base64 -d

[root@docker176 kubernetes]# kubectl get secret kube-dns-token-rst6j -n kube-system -o jsonpath={".data.token"}| base64 -d

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlLWRucy10b2tlbi1yc3Q2aiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlLWRucyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjE1NTc4MDdhLTVkMWYtMTFlOS05ZGYzLTAwMGMyOTM4ODYyYyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJlLWRucyJ9.jHAU6a2pA4YaJX0Cj2C0fKGtoPO0v4E-JL7P8x09jhSsxo15XtC-q-sEdUOSz4OYa9wO3ZZ4MfCSjNCJu1TbljiuDJk2foPWIoHlMvAPV70NOVv4RmAtJqgIueqv-maEQdoiY7k2eoA8VHhpUXefct6MA4YJeR9i6FmG3sodcuj9nU9NXAyxao5wSdY2PeXKZAVEKzLetcov1JfEHFi41csGdn10FgYRSVU19fSVS5C8l30a5qyBYTBKz5SS4J7T0ZkCIOD7ZWtLNsL-sGM8aDMvWUpQnuwvP_viraiGW1SlU-EfsocOTcj5JEw-XFWS4mrIZ5s4Opp5HYHU5ggv-Q

查看calico token

查看calico账号

kubectl -n kube-system get sa calico-policy-controller

[root@docker176 kubernetes]# kubectl -n kube-system get sa
NAME                       SECRETS   AGE
calico-cni-plugin          1         2d
calico-policy-controller   1         2d
default                    1         124d
heapster                   1         55d
kube-dns                   1         2d
[root@docker176 kubernetes]# kubectl -n kube-system get sa calico-policy-controller
NAME                       SECRETS   AGE
calico-policy-controller   1         2d

取得secrets

kubectl -n kube-system get sa calico-policy-controller -o yaml

[root@docker176 kubernetes]# kubectl -n kube-system get sa calico-policy-controller -o yaml         
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: 2019-04-12T12:32:45Z
  name: calico-policy-controller
  namespace: kube-system
  resourceVersion: "16174639"
  selfLink: /api/v1/namespaces/kube-system/serviceaccounts/calico-policy-controller
  uid: 12c2762f-5d1f-11e9-9df3-000c2938862c
secrets:
- name: calico-policy-controller-token-dd7k3

取得token

同kube-dns
kubectl get secrets calico-policy-controller-token-dd7k3 -n kube-system -oyaml

查看token并base64转码

[root@docker176 kubernetes]# kubectl get secret calico-policy-controller-token-dd7k3 -n kube-system -o jsonpath={".data.token"}| base64 -d                    
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJjYWxpY28tcG9saWN5LWNvbnRyb2xsZXItdG9rZW4tZGQ3azMiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiY2FsaWNvLXBvbGljeS1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMTJjMjc2MmYtNWQxZi0xMWU5LTlkZjMtMDAwYzI5Mzg4NjJjIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmNhbGljby1wb2xpY3ktY29udHJvbGxlciJ9.jw75X2XsTnq_8zwd3YJb2hO_4N-78Zo7rmZSCQWSfABi22h6cFlih_ln8nkjlOEL2P_h10W-Zyt-VgmRJsdQTQjELhgLfuh47OCuyRSL_kGosfjbhtXt4QzDM_Svr2mzSpWVbIE68qzh4YUkYGW6aHCrhWW5W-t-dPjGyjJOglG-Xmm1jwFZe_xDKRKOqXzivrYXHJ0Uqcyb_aWQgHBf3gAHSI9OCiGa5_ZykFVOqSo69cY4xL2XOpOcXDVj767qbsi0isICX7vWhHsnaG2KzhlDM3LIAS4AQqWY_fbctSV-jjsBWgBYZgon2xAQqOMmi4xvft_Uk6uEWT4ZKOn7MA

calico controller容器中的token

查看容器

[root@docker176 ~]# docker ps|grep calico
796243554da4        192.168.14.171:5000/calico/kube-policy-controller@sha256:1ca4ccddb3cc3e57e3d8c1fe5d7236ca50250d0a274b0bc3d88ad6ce25cab73e                   "/dist/controller"       2 days ago          Up 2 days                               k8s_calico-policy-controller_calico-policy-controller-2698340612-8hksd_kube-system_13650ec9-5d1f-11e9-9df3-000c2938862c_0

进入容器中token所在目录

docker exec -it   796243554da4 sh
#或者
docker exec -it `docker ps |grep k8s_calico-policy-controller | awk '{print $1}'` sh
# 进入token所在目录
cd /var/run/secrets/kubernetes.io/serviceaccount
/var/run/secrets/kubernetes.io/serviceaccount # ls
ca.crt     namespace  token

查看token

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJjYWxpY28tcG9saWN5LWNvbnRyb2xsZXItdG9rZW4tZGQ3azMiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiY2FsaWNvLXBvbGljeS1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMTJjMjc2MmYtNWQxZi0xMWU5LTlkZjMtMDAwYzI5Mzg4NjJjIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmNhbGljby1wb2xpY3ktY29udHJvbGxlciJ9.jw75X2XsTnq_8zwd3YJb2hO_4N-78Zo7rmZSCQWSfABi22h6cFlih_ln8nkjlOEL2P_h10W-Zyt-VgmRJsdQTQjELhgLfuh47OCuyRSL_kGosfjbhtXt4QzDM_Svr2mzSpWVbIE68qzh4YUkYGW6aHCrhWW5W-t-dPjGyjJOglG-Xmm1jwFZe_xDKRKOqXzivrYXHJ0Uqcyb_aWQgHBf3gAHSI9OCiGa5_ZykFVOqSo69cY4xL2XOpOcXDVj767qbsi0isICX7vWhHsnaG2KzhlDM3LIAS4AQqWY_fbctSV-jjsBWgBYZgon2xAQqOMmi4xvft_Uk6uEWT4ZKOn7MA

对比 k8s中查看的token一致

测试多master 验证token是否有效

高可用master使用KeepAlievd vip设置
master主机
192.168.14.175
192.168.14.176
192.168.14.235(VIP)

curl -k -H ‘Authorization: Bearer ${token}’ https://192.168.14.176:6443/api
如下有返回信息的都是token通过校验正常访问k8s api

[root@docker176 ~]# curl -k -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJjYWxpY28tcG9saWN5LWNvbnRyb2xsZXItdG9rZW4tZGQ3azMiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiY2FsaWNvLXBvbGljeS1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMTJjMjc2MmYtNWQxZi0xMWU5LTlkZjMtMDAwYzI5Mzg4NjJjIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmNhbGljby1wb2xpY3ktY29udHJvbGxlciJ9.jw75X2XsTnq_8zwd3YJb2hO_4N-78Zo7rmZSCQWSfABi22h6cFlih_ln8nkjlOEL2P_h10W-Zyt-VgmRJsdQTQjELhgLfuh47OCuyRSL_kGosfjbhtXt4QzDM_Svr2mzSpWVbIE68qzh4YUkYGW6aHCrhWW5W-t-dPjGyjJOglG-Xmm1jwFZe_xDKRKOqXzivrYXHJ0Uqcyb_aWQgHBf3gAHSI9OCiGa5_ZykFVOqSo69cY4xL2XOpOcXDVj767qbsi0isICX7vWhHsnaG2KzhlDM3LIAS4AQqWY_fbctSV-jjsBWgBYZgon2xAQqOMmi4xvft_Uk6uEWT4ZKOn7MA' https://192.168.14.176:6443/api
{
  "kind": "APIVersions",
  "versions": [
    "v1"
  ],
  "serverAddressByClientCIDRs": [
    {
      "clientCIDR": "0.0.0.0/0",
      "serverAddress": "192.168.14.176:6443"
    }
  ]
}[root@docker176 ~]# curl -k -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJjYWxpY28tcG9saWN5LWNvbnRyb2xsZXItdG9rZW4tZGQ3azMiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiY2FsaWNvLXBvbGljeS1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMTJjMjc2MmYtNWQxZi0xMWU5LTlkZjMtMDAwYzI5Mzg4NjJjIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmNhbGljby1wb2xpY3ktY29udHJvbGxlciJ9.jw75X2XsTnq_8zwd3YJb2hO_4N-78Zo7rmZSCQWSfABi22h6cFlih_ln8nkjlOEL2P_h10W-Zyt-VgmRJsdQTQjELhgLfuh47OCuyRSL_kGosfjbhtXt4QzDM_Svr2mzSpWVbIE68qzh4YUkYGW6aHCrhWW5W-t-dPjGyjJOglG-Xmm1jwFZe_xDKRKOqXzivrYXHJ0Uqcyb_aWQgHBf3gAHSI9OCiGa5_ZykFVOqSo69cY4xL2XOpOcXDVj767qbsi0isICX7vWhHsnaG2KzhlDM3LIAS4AQqWY_fbctSV-jjsBWgBYZgon2xAQqOMmi4xvft_Uk6uEWT4ZKOn7MA' https://192.168.14.175:6443/api
{
  "kind": "APIVersions",
  "versions": [
    "v1"
  ],
  "serverAddressByClientCIDRs": [
    {
      "clientCIDR": "0.0.0.0/0",
      "serverAddress": "192.168.14.175:6443"
    }
  ]
}[root@docker176 ~]# curl -k -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJjYWxpY28tcG9saWN5LWNvbnRyb2xsZXItdG9rZW4tZGQ3azMiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiY2FsaWNvLXBvbGljeS1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMTJjMjc2MmYtNWQxZi0xMWU5LTlkZjMtMDAwYzI5Mzg4NjJjIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmNhbGljby1wb2xpY3ktY29udHJvbGxlciJ9.jw75X2XsTnq_8zwd3YJb2hO_4N-78Zo7rmZSCQWSfABi22h6cFlih_ln8nkjlOEL2P_h10W-Zyt-VgmRJsdQTQjELhgLfuh47OCuyRSL_kGosfjbhtXt4QzDM_Svr2mzSpWVbIE68qzh4YUkYGW6aHCrhWW5W-t-dPjGyjJOglG-Xmm1jwFZe_xDKRKOqXzivrYXHJ0Uqcyb_aWQgHBf3gAHSI9OCiGa5_ZykFVOqSo69cY4xL2XOpOcXDVj767qbsi0isICX7vWhHsnaG2KzhlDM3LIAS4AQqWY_fbctSV-jjsBWgBYZgon2xAQqOMmi4xvft_Uk6uEWT4ZKOn7MA' https://192.168.14.235:6443/api
{
  "kind": "APIVersions",
  "versions": [
    "v1"
  ],
  "serverAddressByClientCIDRs": [
    {
      "clientCIDR": "0.0.0.0/0",
      "serverAddress": "192.168.14.176:6443"
    }
  ]
}

cni测试token

/etc/cni/net.d存放cni相关配置文件所在目录,10-calico.conf配置文件

[root@docker176 ~]# cd /etc/cni/net.d; cat 10-calico.conf
{
    "name": "k8s-pod-network",
    "cniVersion": "0.1.0",
    "type": "calico",
    "etcd_endpoints": "http://192.168.14.175:2379,http://192.168.14.176:2379",
    "log_level": "info",
    "ipam": {
        "type": "calico-ipam"
    },
    "policy": {
        "type": "k8s",
         "k8s_api_root": "https://10.254.0.1:443",
         "k8s_auth_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJjYWxpY28tY25pLXBsdWdpbi10b2tlbi14N3dsMiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJjYWxpY28tY25pLXBsdWdpbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjEyYWQyMjI5LTVkMWYtMTFlOS05ZGYzLTAwMGMyOTM4ODYyYyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTpjYWxpY28tY25pLXBsdWdpbiJ9.VtyfKi39LKcx8Piy0x0cfa5bUxkEn1BhMYzAn_3BaZTma_nOjTMCrAHdqR1wCidH9__U43nKWRhM8qpBhc2OPp30VGFdMt25oJcCF5jcZKzbxvPt0HXKOgOeTctwgatnwsfEBtVarM1V_l9fQswinZbUHSjCCnYsVd1HMoeBOE6Gtxa14kz68wcbK9RFTHrxgo5cdtXxO7JFKRmR5GpmL0Xa2KjuWvY8H-6jSNVv-b-o5SjurV6Ha7Zysibpb8gLr86-QacMPnwP56Y9rBgxmGymUMXTJjXTXmKTY3G_Ha-CXk4Phrf9x58jVu48IHEFhzlnn6m_Kw6nGNEs-32IYw"
    },
    "kubernetes": {
        "kubeconfig": "/etc/cni/net.d/calico-kubeconfig"
    }
}
[root@docker176 net.d]# ll
total 8
-rw-rw-r-- 1 root root 1345 Apr 12 20:32 10-calico.conf
-rw-r--r-- 1 root root  273 Apr 12 20:32 calico-kubeconfig
[root@docker176 net.d]# cat calico-kubeconfig 
# Kubeconfig file for Calico CNI plugin.
apiVersion: v1
kind: Config
clusters:
- name: local
  cluster:
    insecure-skip-tls-verify: true
users:
- name: calico
contexts:
- name: calico-context
  context:
    cluster: local
    user: calico
current-context: calico-context

使用token请求k8s内部地址

  [root@docker176 net.d]# curl -k -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJjYWxpY28tY25pLXBsdWdpbi10b2tlbi14N3dsMiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJjYWxpY28tY25pLXBsdWdpbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjEyYWQyMjI5LTVkMWYtMTFlOS05ZGYzLTAwMGMyOTM4ODYyYyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTpjYWxpY28tY25pLXBsdWdpbiJ9.VtyfKi39LKcx8Piy0x0cfa5bUxkEn1BhMYzAn_3BaZTma_nOjTMCrAHdqR1wCidH9__U43nKWRhM8qpBhc2OPp30VGFdMt25oJcCF5jcZKzbxvPt0HXKOgOeTctwgatnwsfEBtVarM1V_l9fQswinZbUHSjCCnYsVd1HMoeBOE6Gtxa14kz68wcbK9RFTHrxgo5cdtXxO7JFKRmR5GpmL0Xa2KjuWvY8H-6jSNVv-b-o5SjurV6Ha7Zysibpb8gLr86-QacMPnwP56Y9rBgxmGymUMXTJjXTXmKTY3G_Ha-CXk4Phrf9x58jVu48IHEFhzlnn6m_Kw6nGNEs-32IYw' https://10.254.0.1:443/api
    {
      "kind": "APIVersions",
      "versions": [
        "v1"
      ],
      "serverAddressByClientCIDRs": [
        {
          "clientCIDR": "0.0.0.0/0",
          "serverAddress": "192.168.14.176:6443"
        }
      ]
中国lanwp
关注
  • 2
    点赞
  • 15
    收藏
    觉得还不错? 一键收藏
  • 2
    评论
专栏目录
K8S(kubernetes)学习指南
01-14
K8S(Kubernetes)学习指南 Kubernetes(简称K8S)是容器化集群管理系统,它提供了自动部署、扩展和管理容器化应用程序的功能。Kubernetes使用容器编排来自动化部署、扩展和管理容器化应用程序。 控制器是...
k8s二进制文件以及docker二进制文件
03-09
k8s-master 192.168.250.111 k8s-node01 192.168.250.112 k8s-node02 192.168.250.116 2.设置主机名 hostnamectl --static set-hostname k8s-master hostnamectl --static set-hostname k8s-node01 ...
全网最简单的k8s User JWT token管理器
weixin_33923148的博客
02-21 265
kubernetes集群三步安装 概述 kubernetes server account的token很容易获取,但是User的token非常麻烦,本文给出一个极简的User token生成方式,让用户可以一个http请求就能获取到。 token主要用来干啥 官方dashboard登录时需要。 如果通过使用kubeconfig文件登录而文...
kubernetes查看用户token
拒绝熬夜啊的博客
02-28 6259
kubernetes查看用户token
K8S-Dashboard安装并创建普通用户
最新发布
crabdave的博客
05-05 682
K8S-Dashboard安装并创建普通用户
『高效管理Kubernetes子节点』解析K8S集群Token查询与重新生成的方式
老陈聊架构
01-16 2475
K8S子节点加入集群Token查询及重新生成
k8s用ServiceAccount Token的方式访问apiserver
海鸥
04-15 2525
在kubernetes集群,可以登陆到master集群,可以使用私钥证书的方式访问。证书路径:master的/etc/kubernetes/pki/(ca.crt / apiserver.crt / apiserver.key) 下面。 # server是apiserver公网访问地址 curl --cacert ca.crt --cert apiserver.crt --key apiserver.key https://$server/api 这里再介绍一下使用ServiceAccount T
k8s admin 用户生成token
村长在路上
03-15 543
部署进k8s kubectl apply -f admin-namespce.yaml。
dex-k8s-authenticator:一个Kubernetes Dex客户端验证
02-03
Dex K8s身份验证器 一种帮助程序Web应用程序,可与一个或多个进行对话,以生成用于创建和修改kubeconfig kubectl命令。 Web UI支持针对多个群集(例如Dev / Staging / Production)生成令牌。还提供舵图SSL支持Linux...
部署一套完整的K8s高可用集群(kubeadm-V1.20) .docx
10-22
此外,kubeadm还支持`upgrade`来提升K8s版本,`token`管理加入集群的认证令牌,`reset`清理初始化或加入操作的影响,以及`version`查看kubeadm自身的版本。 在准备环境阶段,至少需要3台服务器,配置为2核CPU、2GB...
Cloud Native Lives 课程八:K8S安全1
08-03
**认证(Authorization)**是K8S安全的第一道防线,它验证用户或服务的身份。K8S提供了多种认证方式: 1. **证书+私钥**:这是最安全的认证方式,通常用于客户端和服务端之间的通信。API Server需要配置CA根证书、...
executor-k8s:Kubernetes螺丝刀执行器
04-30
npm install screwdriver-executor-k8s 初始化 该类提供了几个在此Executor的实例化中可配置的选项 范围 类型 默认 描述 配置 目的 配置对象 config.kubernetes 目的 {} Kubernetes配置对象 config.kubernetes....
executor-k8s-vm:Kubernetes VM螺丝刀执行器
05-25
k8s-vm初始化该类提供了几个在此Executor的实例化中可配置的选项范围类型默认描述配置目的配置对象config.kubernetes 目的{} Kubernetes配置对象config.kubernetes.token 细绳'' 用于对Kubernetes集群进行身份验证的...
running-spring-boot-app-on-k8s:在k8s上运行spring-boot-app
04-28
用户验证 GET /customers/{mobile} 获取特定客户数据 GET /customers/ 新增客户 GET /properties/{custId} 获取特定客户的房产数据 账户服务()包含仅包含客户的基本信息,负责用户注册、登录、token下发等。 方法 ...
conference:一种WebRTC信令服务器,支持MQTT和WebSocket作为传输协议,基于令牌的身份验证(JSON Web令牌)和基于外部策略的授权
04-12
会议 基于WebRTC的会议媒体服务器。 执照 源代码是根据条款提供。
athenz:用于动态基础架构中基于X.509证书的服务认证和细粒度访问控制的开源平台。 Athenz支持供应和配置(集中授权)用例以及服务运行时(分散授权)用例
03-29
Athenz以短期X.509证书的形式为部署在私有(例如Openstack,K8S,Screwdriver)或公共云(例如AWS EC2,ECS,Fargate,Lambda)中的每个工作负载或服务提供安全身份。 客户端和服务使用这些X.509证书建立安全连接,...
k8s登陆token获取命令
m0_48038376的博客
04-15 5518
kubectl -n kube-system describe $(kubectl -n kube-system get secret -n kube-system -o name | grep namespace) | grep token
如何获取k8s admin token?
leenhem的博客
11-18 5222
如何获取k8s admin token?介绍创建 kubernetes.io/service-account-token应用k8s-admin.yaml配置获取admin-token名字查询token内容 介绍 我们用程序调用Kubernetes API 时,需要使用Kubernetes的Token Service Account 对象的作用,就是 Kubernetes 系统内置的一种“服务账户”,它是 Kubernetes 进行权限分配的对象。比如, Service Account A,可
生成Kubernetes集群中添加master节点token
qq_38175373的博客
10-23 280
最后就可以根据上面生成拼接后的命令,到新部署的k8s节点上执行加入集群即可。最后在master节点执行如下指令查看新增的节点是否已加入集群中了没。根据得到的token,在新部署的k8s节点上执行如下命令即可。再执行生成token
k8s集群新增节点的token怎么获取,具体展示下
09-02
使用kubeadm命令可以获取token,具体操作步骤如下:1.在集群的master节点上执行kubeadm token create命令,以获取token:$ kubeadm token create2.使用kubeadm token list命令可以查看当前的所有token:$kubeadm token list3.将获取token复制到新节点上,然后使用kubeadm join命令将新节点加入到集群中:$ kubeadm join <master-ip>:<master-port> --token <token> --discovery-token-ca-cert-hash sha256:<hash>

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 2
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值