具有服务帐户令牌的Kubernetes kubeconfig [英] Kubernetes kubeconfig with service account token
问题描述
我有一个脚本在集群外部调用kubectl -server $server --certificate-authority $ca --token $token get pod --all-namespaces
,其中$token
来自服务帐户my-sa
(在命名空间my-ns
中),在RBAC下具有适当的限制权限.
I have a script that calls kubectl -server $server --certificate-authority $ca --token $token get pod --all-namespaces
outside the cluster, where$token
is from a service account my-sa
(in namespace my-ns
) with suitably restricted permissions under RBAC.
我现在想重构它,以便脚本改为调用kubectl --kubeconfig my-service.conf get pod --all-namespaces
,即它应该引用kubeconfig文件而不是设置本地参数.这是在/etc/kubernetes
中遵循Kubernetes关于其自身kubeconfig的约定.
I now want to refactor this such that the script calls kubectl --kubeconfig my-service.conf get pod --all-namespaces
instead, i.e. it should refer to a kubeconfig file instead of setting local parameters. This is in following Kubernetes' own conventions around its own kubeconfigs in /etc/kubernetes
.
我已经尝试了以下kubeconfig my-service.conf
; <CA_DATA>
是/etc/kubernetes/pki/ca.crt
的base64编码的内容,<SERVER>
与$server
相同,并且<TOKEN>
与$token
相同:
I've tried the following kubeconfig my-service.conf
; <CA_DATA>
is the base64-encoded content of /etc/kubernetes/pki/ca.crt
, <SERVER>
is same as $server
, and <TOKEN>
is same as $token
:
apiVersion: v1
kind: Config
clusters:
- cluster:
certificate-authority-data: <CA_DATA>
server: <SERVER>
name: my-cluster
contexts:
- context:
name: default-context
context:
cluster: my-cluster
user: default-user
current-context: default-context
users:
- name: my-service
user:
token: <TOKEN>
kubectl --kubeconfig /dev/null --server $server --certificate-authority /etc/kubernetes/pki/ca.crt --token $token get pods --all-namespaces
在命令行上可用,但是kubectl --kubeconfig my-service.conf get pod --all-namespaces
会产生以下错误消息:
kubectl --kubeconfig /dev/null --server $server --certificate-authority /etc/kubernetes/pki/ca.crt --token $token get pods --all-namespaces
works on the command line, but kubectl --kubeconfig my-service.conf get pod --all-namespaces
produces the following error message:
来自服务器的错误(禁止):禁止使用pods:用户 "system:anonymous"无法在 集群范围
Error from server (Forbidden): pods is forbidden: User "system:anonymous" cannot list resource "pods" in API group "" at the cluster scope
所以我的结构仍然存在问题kubeconfig文件.为什么客户端不认证为 system:serviceaccount:my-ns:my-sa
?有什么问题吗?
So there still be something wrong with the structure of my kubeconfig file. Why did the client not authenticate as system:serviceaccount:my-ns:my-sa
? What could be wrong?
更新我想知道在集群外部使用服务帐户令牌是否不合适(Kubernetes自己的kubeconfig使用客户端证书代替).但是,文档明确指出:服务帐户承载令牌是完全可以在集群外部使用."
UPDATE I was wondering whether it was perhaps inappropriate to use service account tokens outside the cluster (Kubernetes' own kubeconfigs use client certificates instead). But then the documentation clearly states: "service account bearer tokens are perfectly valid to use outside the cluster".
推荐答案
您的上下文配置引用的凭据不存在...
Your context config is referencing an inexistent credential...
您的凭据被指定为- name: my-service
,因此您的上下文应为:
Your credential is specified as - name: my-service
, so your context should be:
- context:
name: default-context
context:
cluster: my-cluster
user: my-service # instead of default-user
这篇关于具有服务帐户令牌的Kubernetes kubeconfig的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!