碼上快樂

相關內容    簡體    繁體

如何使用curl訪問k8s的apiserver

本文轉載自   查看原文   2020-11-02 10:45   497    k8s

如何使用curl訪問k8s的apiserver

 

使用TOKEN授權訪問api-server在k8s運維場景中比較常見,

apiserver有三種級別的客戶端認證方式

1,HTTPS證書認證:基於CA根證書簽名的雙向數字證書認證方式

2,HTTP Token認證:通過一個Token來識別合法用戶

3,HTTP Base認證:通過用戶名+密碼的認證方式

通常的運維場景使用第二種Token較為方便Token的權限是關聯service account, 

  1. # kubectl describe secrets admin-token-2q28f -n kube-system 
  2. Name: admin-token-2q28f
  3. Namespace: kube-system
  4. Labels: <none>
  5. Annotations: kubernetes.io/service-account.name: admin
  6. kubernetes.io/service-account.uid: 93316ffa-7545-11e9-b617-00163e06992d 
  7. Type: kubernetes.io/service-account-token
  8. Data 
  9. ====
  10. ca.crt: 1419 bytes 
  11. namespace: 11 bytes
  12. token: eyJhbGciOiJ******

Service Account 的權限來自Clusterrolebinding-->ClusterRole

  1. # kubectl describe serviceaccount admin -n kube-system
  2. Name: admin
  3. Namespace: kube-system 
  4. Labels: <none> 
  5. Annotations: kubectl.kubernetes.io/last-applied-configuration:
  6. { "apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"name":"admin","namespace":"kube-system"}}
  7. Image pull secrets: <none>
  8. Mountable secrets: admin-token-2q28f
  9. Tokens: admin-token-2q28f
  10. Events: <none>

通過clusterrolebinding 可以拿到ClusterRole對應的rolename 

  1. # kubectl get clusterrolebinding admin -o yaml 
  2. apiVersion: rbac.authorization.k8s.io/v1
  3. kind: ClusterRoleBinding 
  4. metadata: 
  5. annotations: 
  6. kubectl.kubernetes.io/last-applied-configuration: | 
  7. { "apiVersion":"rbac.authorization.k8s.io/v1beta1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"admin"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"cluster-admin"},"subjects":[{"kind":"ServiceAccount","name":"admin","namespace":"kube-system"}]} 
  8. creationTimestamp: 2019-05-13T06:08:49Z 
  9. name: admin 
  10. resourceVersion: "1523"
  11. selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/admin
  12. uid: 93356439-7545-11e9-b617-00163e06992d
  13. roleRef:
  14. apiGroup: rbac.authorization.k8s.io
  15. kind: ClusterRole 
  16. name: cluster-admin 
  17. subjects:
  18. - kind: ServiceAccount
  19. name: admin 
  20. namespace: kube-system

這個role是什么權限? 

  1. # kubectl get clusterrole cluster-admin -o yaml
  2. apiVersion: rbac.authorization.k8s.io/v1
  3. kind: ClusterRole
  4. metadata: 
  5. annotations:
  6. rbac.authorization.kubernetes.io/autoupdate: "true"
  7. creationTimestamp: 2019-05-13T06:01:10Z 
  8. labels:
  9. kubernetes.io/bootstrapping: rbac-defaults
  10. name: cluster-admin 
  11. resourceVersion: "55" 
  12. selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-admin
  13. uid: 817e2b9e-7544-11e9-9766-00163e0e34c8 
  14. rules: 
  15. - apiGroups: 
  16. - '*' 
  17. resources: 
  18. - '*' 
  19. verbs: 
  20. - '*'
  21. - nonResourceURLs: 
  22. - '*'
  23. verbs:
  24. - '*'

從clusterrole權限來看,admin關聯的權限還是比較大的,正常的集群運維中建議根據自身的真實需要,去定制權限。

了解完這些,分享一個小技巧,這樣后面客戶再有curl訪問apiserver的需求,我相信你沒問題了! 

  1. # kubectl describe secrets $(kubectl get secrets -n kube-system |grep admin |cut -f1 -d ' ') -n kube-system |grep -E '^token' |cut -f2 -d':'|tr -d '\t'|tr -d ' '
  2. eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi0ycTI4ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjkzMzE2ZmZhLTc1NDUtMTFlOS1iNjE3LTAwMTYzZTA2OTkyZCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.EQzj2LsWn2k31m-ksn9GmB1bZTi1Xjw1fnmWFgRKlwhS2QAaVnDXfV_TgUovpq5oWKh7h0gTVaNaK4KKK76yAv6GfMehpOdIO5xHCfQAWVRhla1cwUDC64tz7vJ1zGcx_lz4hKfhdXN1T8FYS0B0hf3h2OloAMfCZTzDjRWz24GVwH-WRTEwY_5tav65GiZzBTsnz1vV7NOcx-Kl8AK2HbowtBYqK05x7oOmp84FiQMwpYU-7g0c03h61zev4lvf0e-HFtqKiByPi8gD-uiVRvE-xayOz5oIESWw2GfhzfNf_uyR7eLplCKUBecVMtwVsBauNaeqU-IIJW5VIHAOxw
  3. # TOKEN=$(kubectl describe secrets $(kubectl get secrets -n kube-system |grep admin |cut -f1 -d ' ') -n kube-system |grep -E '^token' |cut -f2 -d':'|tr -d '\t'|tr -d ' ') 
  4. # kubectl config view |grep server|cut -f 2- -d ":" | tr -d " " 
  5. https://192.168.0.130:6443 
  6. # APISERVER=$(kubectl config view |grep server|cut -f 2- -d ":" | tr -d " ")

使用curl訪問apiserver

  1. # curl -H "Authorization: Bearer $TOKEN" $APISERVER/api --insecure
  3. "kind": "APIVersions",
  4. "versions": [ 
  5. "v1" 
  6. ], 
  7. "serverAddressByClientCIDRs": [ 
  9. "clientCIDR": "0.0.0.0/0", 
  10. "serverAddress": "192.168.0.130:6443" 
  13. }


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 k8s 之apiserver部署(六) curl 訪問k8s api k8s apiserver 重啟失敗 k8s如何訪問pod k8s的基本使用 K8S從入門到放棄系列-(5)kubernetes集群之kube-apiserver部署 k8s 安裝與基本使用 k8s使用cephfs K8S ConfigMap使用 k8s的使用入門
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM