table of Contents
1 apiserver client access methods
2 curl visit apiserver
2.1 acquire apiserver address
2.2 Gets token
2.2.1 determine the service account
2.2.2 Creating clusterrolebindings resources
2.2.3 obtain token
2.3 token access apiserver
1 apiserver client access methods
There are two commonly used apiserver client access methods:
1) Digital Certificate Authentication: Digital certificates issued by k8s CA-based authentication
2) TOKEN Certification: TOKEN-based authentication to identify legitimate users
This article describes the use of curl + TOKEN authentication method to access apiserver.
2 curl visit apiserver
Command format is as follows:
## -k: curl not allow the use of digital certificates can visit https sites
## -H: custom http header content
curl -k -H 'Authorization: Bearer $TOKEN' $APISERVER/api
As can be seen, if you want to visit apiserver, just need to get the token, apiserver can.
2.1 acquire apiserver address
kubectl config view
You can also be obtained by a one-time following command:
kubectl config view | grep -i server | cut -d ':' -f 2-
2.2 Gets token
When obtaining token, the need to introduce k8s RBAC (Role-based Access Control), simple terms, RBAC is who (service account) bind (role / clusterrole binding) What role (role), so you can access what resources .
上面介绍的三个术语(service account、role/clusterrole、rolebinding/clusterrolebinding)中我们并没有发现 token,那么 token 在哪里?答案是 secret 对象中,而 secret 存在于 service account 中。
因此,如果想拥有集群的最高访问权限,最简单的做法就是将某个 service account 绑定到集群管理员即可(cluster-admin)。
2.2.1 确定 service account
这里我们采用 k8s 安装时默认生成的 default 用户。
kubectl get sa
2.2.2 创建 clusterrolebindings 资源
创建 default-clusterrolebings.yaml 资源文件:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: default-admin-cluster
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: default
namespace: default
执行下面命令给 default 用户绑定集群管理员角色:
kubectl apply -f default-clusterrolebings.yaml
2.2.3 获取 token
查找 service account 信息获取 secret。
kubectl get sa default -o yaml
Reacquisition token, as shown below according to the secret:
Because the secret of the token is the result of base64 encoded, so need to be decoded before you can use. Command is as follows. Note token copy to complete, remember, remember, remember.
## YOUR_TOKEN is your default token value of the user. Required to complete an individual basis.
echo 'YOUR_TOKEN' | base64 -d
2.3 token access apiserver
Is a value above ## YOUR_DECODE_TOKEN_VAL after base64 decoding
export TOKEN=YOUR_DECODE_TOKEN_VAL
## Set apiserver address
export APISERVER=$(kubectl config view | grep -i server | cut -d ':' -f 2-)
curl -k -H 'Authorization: Bearer $TOKEN' $APISERVER/api
Since then, the use of curl relaxed after blasting k8s apiserver.