目录
创建某namespace的serviceaccount、创建clusterrolebinding绑定该namespace的serviceaccount到clusterrole
1.gateway中拉取k8s服务列表
1.1拉取k8s服务列表
import io.kubernetes.client.openapi.ApiClient;
import io.kubernetes.client.util.ClientBuilder;
import io.kubernetes.client.util.credentials.AccessTokenAuthentication;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.cloud.kubernetes.client.KubernetesClientUtils;
import org.springframework.cloud.kubernetes.commons.KubernetesClientProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.env.Environment;
import javax.xml.bind.DatatypeConverter;
@Configuration
// @EnableConfigurationProperties(CustomKubernetesClientProperties.class)
// @AutoConfigureAfter(CustomKubernetesClientProperties.class)
public class K8SConfig {
private final Logger logger = LoggerFactory.getLogger(K8SConfig.class);
/**
* 覆盖spring cloud kubernetes默认apiclient,以支持开发环境运行
*
* @param properties
* @param environment
* @return
*/
@Bean
public ApiClient apiClient(KubernetesClientProperties properties, Environment environment) {
ApiClient apiClient = null;
// 判断是集群内部环境,使用默认的集群内部加载方式
if (environment.containsProperty("KUBERNETES_SERVICE_HOST")) {
logger.info("now in cluster environment");
apiClient = KubernetesClientUtils.kubernetesApiClient();
apiClient.setUserAgent(properties.getUserAgent());
}
// 如果不是集群内部环境(主要为开发和测试用,生产环境不用)
else {
logger.info("now in dev environment");
// TODO
// 目前在启用spring cloud k8s(spring.cloud.kubernetes.enabled=true)的情况下用
// @Value和@ConfigurationProperties都无法注入属性,所以暂时用environment.getProperty获取配置参数
String masterUrl = environment.getProperty("spring.cloud.kubernetes.client.master-url");
String token = environment.getProperty("spring.cloud.kubernetes.client.oauth-token");
String caCertData = environment.getProperty("spring.cloud.kubernetes.client.ca-cert-data");
if (StringUtils.isEmpty(masterUrl) || StringUtils.isEmpty(token) || StringUtils.isEmpty(caCertData)) {
logger.error("k8s client config error");
throw new RuntimeException("k8s client config error");
}
//手动设置集群管理地址、令牌和证书内容
apiClient = new ClientBuilder().setBasePath(masterUrl).setVerifyingSsl(true)
.setAuthentication(new AccessTokenAuthentication(token))
.setCertificateAuthority(DatatypeConverter.parseBase64Binary(caCertData)).build();
}
return apiClient;
}
}
1.2token过期报错401
2.解决
参考文章:k8s api 接口 401_k8s 401_xiangzilong的博客-CSDN博客
想直接调用https的,没有token就会
[root@k8s-master1 ~]# curl https://10.1.234.100:6443/api/v1/namespaces/default/pods --insecure { "kind": "Status", "apiVersion": "v1", "metadata": { }, "status": "Failure", "message": "pods is forbidden: User \"system:anonymous\" cannot list resource \"pods\" in API group \"\" in the namespace \"default\"", "reason": "Forbidden", "details": { "kind": "pods" }, "code": 403
加token 访问401,被拒绝(token过期)
curl -k -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJhbGciOiJSUzI1NiIsImtpZCI6IlZ1a3JfUFhsNm45UU94QXV5ZElQNXlmOXZaZ0s1N2wxZjZsa0RiQXhSTncifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi1tbmg4NCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjAyYWZmZmIyLTE0OWItNDQxNC05YmEwLWEzN2NlMWI4M2NhMSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.u9a5TZxUKmsGx2UYYiQjEE730Jga7XZJo0F3RV_l6GDDygUmwvDHxxKwEJTjMkbBIgWpNwNJARpILzCJXU9HzfXuM80ksdalzurP8GiE7ukZ1aazPxUvQB0qaBx3g0jKcIZo2qsNTXayyL_GeXP9XTS634o18ekARBA5mI1Z2LHlgmk8zeewGy5DNVvWogWVGPu8SRCeHDMZg9HeK6xHxUeeAUrTpg_2VbWApoaoh9CYlT7IairqHcKtC6SCcMx8DoNPPd9M7MWBFV60swQ9Wi5M1l1RaQXSOX13w_aOlPSBGG_HXRxPY9QQ9YmbHvlLC7bZhh_X8Za0JOPwVoEm6Q.aMzef7qssxhFCkKHYFX99XBCkA_lnpKQhBvWPJ_AEsg89HUJ9cgYs2M7VRQJ2KcsG1BndSW0Ne-yLdsXFGDMaIRF58Rz02V99ViqAH8W86UZqcgARlw6DbYtpyHx2LZp4_HbrOy0xHJXGOx0FzwbCNJR5TE5LAZWx2Q5WowuxzdIhpkr15tn9UTZB0i2VXyANG3D6xyf1M67ojav59eC04qWu3ZuFC2GgngHGbZ1qnP55UnFTHWdFtHAzU5qAX7jrWJAOBdSPXwoxC9XTIBoL2umQk2XQN-OsBnQ_saXXLPe2cdpKdoboJCZgcUfO-5D94KO-5P8wNVhGWubNutvug' https://10.1.234.100:6443/api { "kind": "Status", "apiVersion": "v1", "metadata": { }, "status": "Failure", "message": "Unauthorized", "reason": "Unauthorized", "code": 401
查看权限
[root@k8s-master1 ~]# kubectl get clusterrole cluster-admin -o yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: "2021-03-02T16:08:01Z" labels: kubernetes.io/bootstrapping: rbac-defaults name: cluster-admin resourceVersion: "45" selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-admin uid: f58d218f-447e-4e04-9161-89c094782480 rules: - apiGroups: - '*' resources: - '*' verbs: - '*' - nonResourceURLs: - '*' verbs: - '*'
可能这个用户的权限问题,创建admin用户测试
#创建用户 kubectl create serviceaccount sa-gateway-cas -n da-ma #用户授权 kubectl create clusterrolebinding sa-gateway-cas --clusterrole=cluster-admin --serviceaccount=da-ma:sa-gateway-cas #查看token kubectl describe secrets -n da-ma $(kubectl -n da-ma get secret | awk '/sa-gateway-cas/{print $1}')
用新token就可以访问了
[root@k8s-master1 ~]# curl -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IlZ1a3JfUFhsNm45UU94QXV5ZElQNXlmOXZaZ0s1N2wxZjZsa0RiQXhSTncifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi1tbmg4NCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjAyYWZmZmIyLTE0OWItNDQxNC05YmEwLWEzN2NlMWI4M2NhMSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.u9a5TZxUKmsGx2UYYiQjEE730Jga7XZJo0F3RV_l6GDDygUmwvDHxxKwEJTjMkbBIgWpNwNJARpILzCJXU9HzfXuM80ksdalzurP8GiE7ukZ1aazPxUvQB0qaBx3g0jKcIZo2qsNTXayyL_GeXP9XTS634o18ekARBA5mI1Z2LHlgmk8zeewGy5DNVvWogWVGPu8SRCeHDMZg9HeK6xHxUeeAUrTpg_2VbWApoaoh9CYlT7IairqHcKtC6SCcMx8DoNPPd9M7MWBFV60swQ9Wi5M1l1RaQXSOX13w_aOlPSBGG_HXRxPY9QQ9YmbHvlLC7bZhh_X8Za0JOPwVoEm6Q" -k https://10.1.234.100:6443/api/v1/namespaces/default/pods { "kind": "PodList", "apiVersion": "v1", "metadata": { "selfLink": "/api/v1/namespaces/default/pods", "resourceVersion": "323430" }, "items": []
创建某namespace的serviceaccount、创建clusterrolebinding绑定该namespace的serviceaccount到clusterrole
kubectl create serviceaccount plm-system-admin -n plm-system
kubectl delete serviceaccount plm-system-admin -n plm-system
kubectl create clusterrolebinding plm-system-admin-clusterrolebinding-cluster-admin --clusterrole=cluster-admin --serviceaccount=plm-system:plm-system-admin
kubectl delete clusterrolebinding plm-system-admin-clusterrolebinding-cluster-admin
kubectl describe serviceaccount plm-system-admin -n plm-system
kubectl get serviceaccount -n plm-system
kubectl get rolebindings,clusterrolebindings \
--all-namespaces \
-o custom-columns='KIND:kind,NAMESPACE:metadata.namespace,NAME:metadata.name,SERVICE_ACCOUNTS:subjects[?(@.kind=="ServiceAccount")].name'