Openshift管理员令牌 [英] Openshift Admin Token
问题描述
我正在尝试创建一个脚本,该脚本每15分钟记录一次项目资源.如何使用Openshift API进行身份验证?我是否可以使用对所有名称空间具有读访问权的令牌?如何创建可以访问所有名称空间的服务帐户?
I am trying to create a script that records project resources every 15 minutes. How do I authenticate with Openshift API? Is there a token I can use that has read access on all namespaces? How do I create a service account that has access over all namespaces?
推荐答案
您需要创建一个对资源具有读取访问权限的ClusterRole,并使用ClusterRoleBinding将ServiceAccount与该ClusterRole关联.粗略的示例,未经测试,但可以正常工作:
You'll need to create a ClusterRole that has read access to the resources and use ClusterRoleBinding to associate the ServiceAccount to that ClusterRole. Rough example, not tested but it should work:
# creates the service account "ns-reader"
apiVersion: v1
kind: ServiceAccount
metadata:
name: ns-reader
namespace: default
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: global-reader
rules:
- apiGroups: [""]
# add other rescources you wish to read
resources: ["pods", "secrets"]
verbs: ["get", "watch", "list"]
---
# This cluster role binding allows service account "ns-reader" to read pods in all available namespace
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-ns
subjects:
- kind: ServiceAccount
name: ns-reader
namespace: default
roleRef:
kind: ClusterRole
name: global-reader
apiGroup: rbac.authorization.k8s.io
设置ServiceAccount后,将自动创建许多与之关联的秘密.其中的几个秘密持有一个令牌,可以在直接使用REST API或使用oc
时使用它们.在ServiceAccount上使用oc describe
查看令牌的密钥名称.然后在其中一个Secrets上使用oc describe
来查看令牌.
When the ServiceAccount is setup, a number of secrets are created automatically associated with it. A couple of these secrets hold a token which can then be used when using the REST API directly or using oc
. Use oc describe
on the ServiceAccount to see the names of the Secret for the tokens. Then use oc describe
on one of the Secrets to see the token.
这篇关于Openshift管理员令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!