kubernetes的Pod内挂载的Service Account的使用方法

作者:李佶澳  更新时间:2017/04/27 13:23:49

  项目    kubernetes    刷新

目录

从容器内访问apiserver

kubernetes内置了一个名为kuberntes的service,这个service就是kubernetes的api服务。

从容器中可以访问这个地址,容器要对kuberntes的具有的操作权限:

$kubectl get service
NAME         CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
kubernetes   10.0.0.1     <none>        443/TCP   29d

在容器里可以看到这个地址:

$curl https://10.0.0.1:443 --cacert /run/secrets/kubernetes.io/serviceaccount/ca.crt
Unauthorized

准备一个curl.sh文件,内容如下:

token=`cat /run/secrets/kubernetes.io/serviceaccount/token`
curl https://10.0.0.1:443 --cacert /run/secrets/kubernetes.io/serviceaccount/ca.crt -H "Authorization: Bearer $token"

运行后,可以看到,使用token可以访问apiserver:

$./curl.sh
{
  "paths": [
    "/api",
    "/api/v1",
    "/apis",
    "/apis/apps",
    "/apis/apps/v1alpha1",
    "/apis/authentication.k8s.io",
    "/apis/authentication.k8s.io/v1beta1",
    "/apis/authorization.k8s.io",
    "/apis/authorization.k8s.io/v1beta1",
    "/apis/autoscaling",
    "/apis/autoscaling/v1",
    "/apis/batch",
    "/apis/batch/v1",
    "/apis/batch/v2alpha1",
    "/apis/certificates.k8s.io",
    "/apis/certificates.k8s.io/v1alpha1",
    "/apis/extensions",
    "/apis/extensions/v1beta1",
    "/apis/policy",
    "/apis/policy/v1alpha1",
    "/apis/rbac.authorization.k8s.io",
    "/apis/rbac.authorization.k8s.io/v1alpha1",
    "/apis/storage.k8s.io",
    "/apis/storage.k8s.io/v1beta1",
    "/healthz",
    "/healthz/ping",
    "/logs",
    "/metrics",
    "/swaggerapi/",
    "/ui/",
    "/version"
  ]
}

在容器设置了环境变量后,就可以通过上传到容器内部的kubectl直接操作集群了:

export KUBERNETES_SERVICE_HOST=10.0.0.1
export KUBERNETES_SERVICE_PORT=443

kubectl运行时会自动加载容器里的token:

//   However, if it appears that we're running in a kubernetes cluster
//   container environment, then run with the auth info kubernetes mounted for
//   us. Specifically:
//     The env vars KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT are
//     set, and the file /var/run/secrets/kubernetes.io/serviceaccount/token
//     exists and is not a directory.

docker-kubectl已经内置了kubectl,可以直接使用,服务地址可以从env.init中找到。

参考

  1. docker-kubectl

关注加微信,一般不闲聊(直接说事)

相关页面,推荐阅读

Copyright @2011-2019 All rights reserved. 转载请添加原文连接,合作请加微信lijiaocn或者发送邮件: [email protected],备注网站合作

友情链接:  微信公众号精选文章  发现知识星球