- 进入OpenShift自带的terminal项目的pod。
$ oc rsh $(oc get pod -n terminal -l=app=terminal -o jsonpath="{ .items[0].metadata.name }")
- 查看pod里serviceaccount目录中的资源
sh-4.2$ ls -l /var/run/secrets/kubernetes.io/serviceaccount
total 0
lrwxrwxrwx. 1 root root 13 Aug 6 23:45 ca.crt -> ..data/ca.crt
lrwxrwxrwx. 1 root root 16 Aug 6 23:45 namespace -> ..data/namespace
lrwxrwxrwx. 1 root root 21 Aug 6 23:45 service-ca.crt -> ..data/service-ca.crt
lrwxrwxrwx. 1 root root 12 Aug 6 23:45 token -> ..data/token
其中:
- ca.crt - OpenShift的CA证书
- namespace - 当前命名空间
- service-ca.crt - OpenShift服务的CA证书
- token - 访问OAuth的Service Account的Token
- 使用ca.crt和token访问API Service
sh-4.2$ curl --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://kubernetes.default.svc
{
"paths": [
"/api",
"/api/v1",
"/apis",
"/apis/",
"/apis/admissionregistration.k8s.io",
"/apis/admissionregistration.k8s.io/v1",
"/apis/admissionregistration.k8s.io/v1beta1",
"/apis/apiextensions.k8s.io",
"/apis/apiextensions.k8s.io/v1",
"/apis/apiextensions.k8s.io/v1beta1",
"/apis/apiregistration.k8s.io",
"/apis/apiregistration.k8s.io/v1",
"/apis/apiregistration.k8s.io/v1beta1",
"/apis/apps",
...
]
}