有没有一种方法可以在Kubernetes中为普通用户创建令牌? [英] Is there a way to create a token for a normal user in Kubernetes?

问题描述

有一种方法可以创建服务帐户并获取令牌，如如何将用户添加到Kubernetes(kubectl)?，但是有没有办法为普通用户获取或创建令牌?

There is a way to create a service account and get token as in How to Add Users to Kubernetes (kubectl)? but is there a way to get or create a token for a normal user?

按照在您的Kubernetes中配置RBAC群集并创建普通用户.

按如下所示为用户绑定集群角色(不确定是否正确，请多加建议).我想为用户创建一个令牌，并使用它来访问仪表板，但不知道如何做.

Bind a cluster role to the user as below (not sure this is correct, appreciate suggestions). I would like to create a token for the user and use it to access the dashboard but do not know how to do.

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: kube-system
  name: dashboard-admin-role
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["get", "list", "watch"]

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: dashboard-admin-rolebinding
  namespace: office
subjects:
- kind: User
  name: myuser
  apiGroup: "rbac.authorization.k8s.io"
roleRef:
  kind: ClusterRole
  name: dashboard-admin-role
  apiGroup: "rbac.authorization.k8s.io"

推荐答案

API请求被绑定到普通用户或服务帐户，或被视为匿名请求.

• 假定普通用户由外部独立服务(私钥，第三方(如Google帐户)，甚至是包含用户名和密码的文件)管理. Kubernetes没有代表普通用户帐户的对象.
• 服务帐户是由Kubernetes API管理并绑定到特定名称空间的用户.服务帐户与存储为机密的一组凭据相关联.服务帐户承载令牌非常有效，可以在集群外部使用，并且可以用于为希望与Kubernetes API通讯的长期工作创建身份.要手动创建服务帐户，只需使用kubectl create serviceaccount ACCOUNT_NAME命令.这样会在当前名称空间中创建一个服务帐户，并创建一个关联的机密，该机密包含API服务器的公共CA和签名的JSON Web令牌(JWT).

• Normal users are assumed to be managed by an outside, independent service (private keys, third parties like Google Accounts, even a file with a list of usernames and passwords). Kubernetes does not have objects which represent normal user accounts.
• Service accounts are users managed by the Kubernetes API, bound to specific namespaces. Service accounts are tied to a set of credentials stored as Secrets. Service account bearer tokens are perfectly valid to use outside the cluster and can be used to create identities for long standing jobs that wish to talk to the Kubernetes API. To manually create a service account, simply use the kubectl create serviceaccount ACCOUNT_NAME command. This creates a service account in the current namespace and an associated secret that holds the public CA of the API server and a signed JSON Web Token (JWT).

因此您可以创建一个服务帐户，然后使用该令牌来验证对API的请求.

So you can create a serviceaccount and then use that token to authenticate the requests to the API.

类似于此示例

$ kubectl create serviceaccount jenkins
serviceaccount "jenkins" created
$ kubectl get serviceaccounts jenkins -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  # ...
secrets:
- name: jenkins-token-1yvwg

然后获取令牌

$ kubectl get secret jenkins-token-1yvwg -o yaml
apiVersion: v1
data:
  ca.crt: (APISERVER'S CA BASE64 ENCODED)
  namespace: ZGVmYXVsdA==
  token: (BEARER TOKEN BASE64 ENCODED)
kind: Secret
metadata:
  # ...
type: kubernetes.io/service-account-token

这篇关于有没有一种方法可以在Kubernetes中为普通用户创建令牌?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！