Openshift管理员令牌 [英] Openshift Admin Token
问题描述
我正在尝试创建一个脚本,该脚本每15分钟记录一次项目资源.如何使用Openshift API进行身份验证?我是否可以使用对所有名称空间具有读访问权的令牌?如何创建可以访问所有名称空间的服务帐户?
I am trying to create a script that records project resources every 15 minutes. How do I authenticate with Openshift API? Is there a token I can use that has read access on all namespaces? How do I create a service account that has access over all namespaces?
推荐答案
您需要创建一个对资源具有读取访问权限的ClusterRole,并使用ClusterRoleBinding将ServiceAccount与该ClusterRole关联.粗略的示例,未经测试,但可以正常工作:
You'll need to create a ClusterRole that has read access to the resources and use ClusterRoleBinding to associate the ServiceAccount to that ClusterRole. Rough example, not tested but it should work:
# creates the service account "ns-reader"
apiVersion: v1
kind: ServiceAccount
metadata:
name: ns-reader
namespace: default
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: global-reader
rules:
- apiGroups: [""]
# add other rescources you wish to read
resources: ["pods", "secrets"]
verbs: ["get", "watch", "list"]
---
# This cluster role binding allows service account "ns-reader" to read pods in all available namespace
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-ns
subjects:
- kind: ServiceAccount
name: ns-reader
namespace: default
roleRef:
kind: ClusterRole
name: global-reader
apiGroup: rbac.authorization.k8s.io
设置ServiceAccount后,将自动创建许多与之关联的秘密.其中的几个秘密持有一个令牌,可以在直接使用REST API或使用oc时使用它们.在ServiceAccount上使用oc describe查看令牌的密钥名称.然后在其中一个Secrets上使用oc describe来查看令牌.
When the ServiceAccount is setup, a number of secrets are created automatically associated with it. A couple of these secrets hold a token which can then be used when using the REST API directly or using oc. Use oc describe on the ServiceAccount to see the names of the Secret for the tokens. Then use oc describe on one of the Secrets to see the token.
这篇关于Openshift管理员令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
