1.创建token验证
因为RBAC模式下kubeconfig不再提供集群的token,但是Jenkins或是为了偷懒和方便又想用shelll的curl调用k8s接口处理一些事。但是建议使用时不要使用权限过大的Clusterrole,尽量把权限最小化。
创建sa
kubectl --kubeconfig=/home/k8sadm/config create sa tke-admin
为了方便这里直接使用tke:admin这个clusterrole
但是由上面的图可以看出Clusterrole如何权限过大操作的范围广,尽量避免用tke:admin,例如Jenkins这里使用
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: jenkins-cr
rules:
- apiGroups: ["extensions", "apps"]
resources: ["deployments"]
verbs: ["create", "delete", "get", "list", "watch", "patch", "update"]
- apiGroups: [""]
resources: ["services"]
verbs: ["create", "delete", "get", "list", "watch", "patch", "update"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
创建Clusterrolebinding
kubectl --kubeconfig=/home/k8sadm/config create clusterrolebinding \
tke-admin-binding --clusterrole=tke:admin \
--serviceaccount=default:tke-admin
2.获取sa对于的token
查看sa的secretname
kubectl --kubeconfig=/home/k8sadm/txk8s/config get sa tke-admin -o=jsonpath='{.secrets[0].name}'
获取token
kubectl --kubeconfig=config get secret tke-admin-token-XXXXX \
-o=jsonpath='{.data.token}' | base64 -d
通过上命令获取sa的token,然后进行base64解密就是你可以使用的token了(注意防止token泄露,上面token已进行删减)
3.使用token调用接口
如修改tke中yfdev命名空间的deployment的个数
对于的接口调用方式为:
# patch 部分更新指定的 Deployment
PATCH /apis/apps/v1/namespaces/{namespace}/deployments/{name}
# 参考文档地址:
https://kubernetes.io/zh-cn/docs/reference/kubernetes-api/workload-resources/deployment-v1
命令如下:
curl -k -X PATCH \
-H "Content-Type: application/strategic-merge-patch+json" \
-H "Authorization: Bearer XXXXTOKENXXXX" \
-d '{"spec": {"replicas": 2}}' \
https://cls-XXXX.ccs.tencent-cloud.com/apis/apps/v1/namespaces/yfdev/deployments/hello-world-depl