1、创建用户账户(onlyreadaccount为账户名,可自定义):
kubectl create serviceaccount "onlyreadaccount" -n kube-system
2、创建角色,配置权限:
kubectl create clusterrole readResourceRole --verb=get,list,watch --resource=pods,nodes,svc,ns,deployments,ingresses,pods/log
3、绑定角色(账户绑定角色):
kubectl create clusterrolebinding "onlyreadaccount" --clusterrole=readResourceRole --serviceaccount=kube-system:onlyreadaccount
4、获取token:
kubectl -n kube-system describe $(kubectl -n kube-system get secret -n kube-system -o name | grep onlyreadaccount) | grep token
token如下:
eyJhbGciOiJSUzI1NiIsImtpZCI6Imdqc1dOTXhvNUxxZHRyVDRvaVpMdEYyYl9xVTZveHRHVm5KWjJOWmcweDQifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJvbmx5cmVhZGFjY291bnQtdG9rZW4tc3BtcnMiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoib25seXJlYWRhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMzViZDkzYmQtZTUwMi00ZDZmLTk2NzEtZTZiNmI1ODkwOTU2Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOm9ubHlyZWFkYWNjb3VudCJ9.ZFA2Hss6tCjFHFONIfAstTDNNVsqbM0E4Asrgq9fRnOnJ7FTch583vhTbWDyOMrm4mNbSVexAecoGNcLl7b1cMaGw3gBqTvVMreQRJdCGv-27sptAewg5MkBZk6lxXqg9E_lP4Lbf6Niaohom08u_j4Q-SwxS3cvO8S7q-V5MNZXwkqVebloFHPEy10HkyGQZJi6SkTmP-JIL15t8bkTx64yx2YVMbXsdh0uxGJbYVzVYdMzRTWbP1l6w68Anbcm7DVj5R5PMBVq1X-L8DEXeZuJRlLNNP7np95QzbayPJo6FbZlgV63rfECDxsPDwjd7zkZPgXRPdpTO8_MyH77Xg
5、测试token权限:
curl -k -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6Imdqc1dOTXhvNUxxZHRyVDRvaVpMdEYyYl9xVTZveHRHVm5KWjJOWmcweDQifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJvbmx5cmVhZGFjY291bnQtdG9rZW4tc3BtcnMiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoib25seXJlYWRhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMzViZDkzYmQtZTUwMi00ZDZmLTk2NzEtZTZiNmI1ODkwOTU2Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOm9ubHlyZWFkYWNjb3VudCJ9.ZFA2Hss6tCjFHFONIfAstTDNNVsqbM0E4Asrgq9fRnOnJ7FTch583vhTbWDyOMrm4mNbSVexAecoGNcLl7b1cMaGw3gBqTvVMreQRJdCGv-27sptAewg5MkBZk6lxXqg9E_lP4Lbf6Niaohom08u_j4Q-SwxS3cvO8S7q-V5MNZXwkqVebloFHPEy10HkyGQZJi6SkTmP-JIL15t8bkTx64yx2YVMbXsdh0uxGJbYVzVYdMzRTWbP1l6w68Anbcm7DVj5R5PMBVq1X-L8DEXeZuJRlLNNP7np95QzbayPJo6FbZlgV63rfECDxsPDwjd7zkZPgXRPdpTO8_MyH77Xg" https://134.64.110.xxx:18611/api/v1
https://134.64.110.xxx:18611/apis/extensions/v1beta1/namespaces/default/ingresses/
https://134.64.110.xxx:18611/apis/apps/v1/deployments
https://134.64.110.xxx:18611/api/v1/namespaces
https://134.64.110.xxx:18611/api/v1/nodes
https://134.64.110.xxx:18611/api/v1/services
https://134.64.110.xxx:18611/api/v1/namespaces/{pod}/log