使用TOKEN授權訪問api-server在k8s運維場景中比較常見，

apiserver有三種級別的客戶端認證方式

1，HTTPS證書認證：基于CA根證書簽名的雙向數字證書認證方式

2，HTTP Token認證：通過一個Token來識別合法用戶

3，HTTP Base認證：通過用戶名+密碼的認證方式

通常的運維場景使用第二種Token較為方便Token的權限是關聯service account,

# kubectl describe secrets admin-token-2q28f -n kube-systemName: admin-token-2q28f Namespace: kube-system Labels: <none> Annotations: kubernetes.io/service-account.name: adminkubernetes.io/service-account.uid: 93316ffa-7545-11e9-b617-00163e06992d Type: kubernetes.io/service-account-token Data ==== ca.crt: 1419 bytes namespace: 11 bytes token: eyJhbGciOiJ******

Service Account 的權限來自Clusterrolebinding-->ClusterRole

# kubectl describe serviceaccount admin -n kube-systemName: admin Namespace: kube-system Labels: <none> Annotations: kubectl.kubernetes.io/last-applied-configuration:{"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"name":"admin","namespace":"kube-system"}} Image pull secrets: <none> Mountable secrets: admin-token-2q28f Tokens: admin-token-2q28f Events: <none>

通過clusterrolebinding 可以拿到ClusterRole對應的rolename

# kubectl get clusterrolebinding admin -o yamlapiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata:annotations:kubectl.kubernetes.io/last-applied-configuration: |{"apiVersion":"rbac.authorization.k8s.io/v1beta1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"admin"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"cluster-admin"},"subjects":[{"kind":"ServiceAccount","name":"admin","namespace":"kube-system"}]}creationTimestamp: 2019-05-13T06:08:49Zname: adminresourceVersion: "1523"selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/adminuid: 93356439-7545-11e9-b617-00163e06992d roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: cluster-admin subjects: - kind: ServiceAccountname: adminnamespace: kube-system

這個role是什么權限?

# kubectl get clusterrole cluster-admin -o yamlapiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata:annotations:rbac.authorization.kubernetes.io/autoupdate: "true"creationTimestamp: 2019-05-13T06:01:10Zlabels:kubernetes.io/bootstrapping: rbac-defaultsname: cluster-adminresourceVersion: "55"selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-adminuid: 817e2b9e-7544-11e9-9766-00163e0e34c8 rules: - apiGroups:- '*'resources:- '*'verbs:- '*' - nonResourceURLs:- '*'verbs:- '*'

從clusterrole權限來看，admin關聯的權限還是比較大的，正常的集群運維中建議根據自身的真實需要，去定制權限

https://kubernetes.io/docs/reference/access-authn-authz/rbac/

了解完這些，分享一個小技巧，這樣后面客戶再有curl訪問apiserver的需求，我相信你沒問題了！

# kubectl describe secrets $(kubectl get secrets -n kube-system |grep admin |cut -f1 -d ' ') -n kube-system |grep -E '^token' |cut -f2 -d':'|tr -d '\t'|tr -d ' 'eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi0ycTI4ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjkzMzE2ZmZhLTc1NDUtMTFlOS1iNjE3LTAwMTYzZTA2OTkyZCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.EQzj2LsWn2k31m-ksn9GmB1bZTi1Xjw1fnmWFgRKlwhS2QAaVnDXfV_TgUovpq5oWKh7h0gTVaNaK4KKK76yAv6GfMehpOdIO5xHCfQAWVRhla1cwUDC64tz7vJ1zGcx_lz4hKfhdXN1T8FYS0B0hf3h2OloAMfCZTzDjRWz24GVwH-WRTEwY_5tav65GiZzBTsnz1vV7NOcx-Kl8AK2HbowtBYqK05x7oOmp84FiQMwpYU-7g0c03h61zev4lvf0e-HFtqKiByPi8gD-uiVRvE-xayOz5oIESWw2GfhzfNf_uyR7eLplCKUBecVMtwVsBauNaeqU-IIJW5VIHAOxw # TOKEN=$(kubectl describe secrets $(kubectl get secrets -n kube-system |grep admin |cut -f1 -d ' ') -n kube-system |grep -E '^token' |cut -f2 -d':'|tr -d '\t'|tr -d ' ')# kubectl config view |grep server|cut -f 2- -d ":" | tr -d " "https://192.168.0.130:6443 # APISERVER=$(kubectl config view |grep server|cut -f 2- -d ":" | tr -d " ")

使用curl訪問apiserver

# curl -H "Authorization: Bearer $TOKEN" $APISERVER/api --insecure{"kind": "APIVersions","versions": ["v1"],"serverAddressByClientCIDRs": [{"clientCIDR": "0.0.0.0/0","serverAddress": "192.168.0.130:6443"}] }

原文鏈接
本文為云棲社區原創內容，未經允許不得轉載。

總結

以上是生活随笔為你收集整理的如何使用curl访问k8s的apiserver的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。