【k8s】创建基于sa的token的kubeconfig

需求

    创建一个基于sa的token的kubeconfig文件，并用这个文件来访问集群。

具体创建sa 和sa的token请参考文章: 【k8s】给ServiceAccount 创建关联的 Secrets-CSDN博客

创建sa

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:namespace: jtkjdevname: gitcicd-role
rules:
- apiGroups: ["apps"]resources: ["deployments"]verbs: ["delete","get","create"]
- apiGroups: [""]resources: ["services"]verbs: ["delete","create","get","list"]---
apiVersion: v1
kind: ServiceAccount
metadata:namespace: jtkjdevname: gitcicd-sa---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:namespace: jtkjdevname: gitcicd-role-sa-binding
subjects:
- kind: ServiceAccountname: gitcicd-sanamespace: jtkjdev
roleRef:kind: Rolename: gitcicd-roleapiGroup: rbac.authorization.k8s.io---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:namespace: jtkjdevname: gitcicd-sa-secretannotations:kubernetes.io/service-account.name: "gitcicd-sa"

kubeconfig文件结构

apiVersion: v1
clusters:
- cluster:certificate-authority-data:  【k8s集群中的顶级根证书ca.crt】server: https://xxx.xxx.218.119:6443name: mytest 【这个名称自己随便定义，一般定义k8s集群的名称，方便管理】contexts: 【context 是用来把上下文和下面的user关联起来】
- context:cluster: mytest user: gitcicd-saname: gitcicd-sa@mytest current-context: gitcicd-sa@mytest  【给kubeconfig文件中会有个上下文，通过current-context来指定当前用哪个】kind: Config
preferences: {}
users: 【配置关联的用户,如自己创建的sa】
- name: gitcicd-sa1user: [这种方式是使用证书的验证客户的方式]client-certificate-data: 【这个客户端证书是由k8s集群中的顶级根证书签名过的】client-key-data: 【客户端私钥，可以自己用openssl 工具生成】- name: gitcicd-sauser:token: $TOKEN  【这个token是sa类型用户：gitcicd-sa中的secret中的token，可以通过kubectl describe  secrets gitcicd-sa-secret -n jtkjdev获取】

创建过程

1、kubeconfig文件中的 cluster部分

kubectl config --kubeconfig=config-demo set-cluster development --server=https://xx.xx.218.119:6443 --embed-certs --certificate-authority=ca.crt【可以把k8s集群中的顶级根证书拷贝到当前命令执行目录】

  这个指令会在/root/.kube/ 目录生成一个: config-demo 文件。内容如下:

apiVersion: v1
clusters:
- cluster:certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJTXRFODhEUUV2NUF3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TkRFeE1UTXhOVE0yTXpWYUZ3MHpOREV4TVRFeE5UUXhNelZhTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUUMrRUpXemNadkF4a1lxWHZ0Q05POFRUcFluNjkzMTR1aUUySzNzV3BoR25ySjlOdUNVeEVuaHRmdW8KN09xQWt6MkZGbzNWSFRpYnB1ekFZVUxsL3VwV0F2RE12NnI2WHpFT0JLaHlCU09ZR3ZjSlpKNXJpcFVrSjNVcgpZZzlFMW1QaDNDc0o2Mmx0b3NLbW8vZ1BrUDZITXlSSWdMMFpQY2VzTFVBbHE3Y0FURTBMRXI0azdaYitaeTZxCjNnVDU5eHR1RTE4dkZOVUpBNE90cjJHRVpLajJ6OXFqRUR1clB5L0tHcmF6NWRqQWx6dTJFSy8zU3RxTXRhRnYKRkw1dkxFQmlydmNlR0w1RDVGc0Z5dkhsOEIvWUljTUU4cnUwV2ZRbEhZMjJIdVR0Q0VGSTRtd3Fpek1CcXd2TwptVGdSSDlmTmxaMWZaS20yWWY0bkR3SlJBOWhMQWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJRU3FxMzBlSERJbklFWGpSTnlOb3JDSFpxT3JqQVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQmk1bi9GYUFmaApMTGttNjFtSjBZSlNEN3RTSzUxc2JKcldGc3JvSWwzeEMzZFhnVW16dTFONkh6MGVMQkQ4aUo4ZnlNcllPQ2xkClgyR2Z6ell5azQza3J5OVlicnhDMnZOSU5GdWJjUDdtKzRUWC9ycHFzdmJXRVJTY21MM2o5SmJWaDFBVHZyR2kKVzlOWVM2WGlEay9JRlhYVkthZ091TituT0xvS1FHM1ZwZGdncTdZYnN5V0JDZXZZR1h0VVE0cWNqeDIwUjVxSwo3em1ZdEtCUlVJQTRLdkRlWm1ZeThmUWxmWkNVa2JKY0hxZ0ZiVE5uVU1Bd3ZoWnorOVBIZ2lHSm5rUHQzYXBkCk55bjduQ05MWGs5dEZ3Tzl5VHQyN3BGTy9xTGhqcnFGakVkampqTkd1bFNxcjY4SzFUeGs4cGR4R1hWWHhpcE0KL2hiMkszZm41dHE0Ci0tLS0tRU5EIENFUlRJRxxxxx11111server: https://.30.xx8.xx9:6443name: developmentcontexts: 
- context:cluster: user: name: current-context: nullkind: Config
preferences: {}
users:
- name: gitcicd-sa1user:  token: null

2、获取gitcicd-sa的token

    kubectl describe  secrets gitcicd-sa-secret -n jtkjdev

[root@iZ2vc6igbukkxw6rbl64ljZ .kube]# kubectl describe secrets gitcicd-sa-secret -n jtkjdevName:         gitcicd-sa-secret
Namespace:    jtkjdev
Labels:       kubernetes.io/legacy-token-last-used=2024-12-03
Annotations:  kubernetes.io/service-account.name: gitcicd-sakubernetes.io/service-account.uid: 1c19d7e6-18c7-488b-8187-5fef65d9dc99Type:  kubernetes.io/service-account-tokenData
====
ca.crt:     1107 bytes
namespace:  7 bytes
token:      11111111111111111111111WxhQnpKczJEQ0V4WXdmbFVMNk9UaVA0aVlEb042XzQifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJqdGtqZGV2Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImdpdGNpY2Qtc2Etc2VjcmV0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImdpdGNpY2Qtc2EiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIxYzE5ZDdlNi0xOGM3LTQ4OGItODE4Ny01ZmVmNjVkOWRjOTkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6anRramRldjpnaXRjaWNkLXNhIn0.l5MAZPAc6w6aGmDIk_1_WqIspjwGhCLjjw1YoI9yebaow_3q1P6eSqjYIKD1_hYX_l4tn03DnUcJrNr8R9KPnfSJbcfuOuZVq9K7mm8j46tAPiVIzgVkKf4e6PxPw9IRmFuD2lQaJH8n9jVscL8Cw4y1j0KxPcK_po-Bpvpy0JRR5Pc7hYlnBIqSElqqcqM5LtSWK6adwQ4bdxwu7bMlmSYp5nFencvCLKnRKX-UVOf_S-SFabbv0Zn8wkx6NTJ0uxfqkSePtY2vLAkCgyivhjWhSKqlok1anj5kzSa-ol-6IPQI4WSEAx-jkfiqjIyN11111111111111

3、把获取的token添加到config-demo文件

apiVersion: v1
clusters:
- cluster:certificate-authority-data: LccccccRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJTXRFODhEUUV2NUF3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TkRFeE1UTXhOVE0yTXpWYUZ3MHpOREV4TVRFeE5UUXhNelZhTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUUMrRUpXemNadkF4a1lxWHZ0Q05POFRUcFluNjkzMTR1aUUySzNzV3BoR25ySjlOdUNVeEVuaHRmdW8KN09xQWt6MkZGbzNWSFRpYnB1ekFZVUxsL3VwV0F2RE12NnI2WHpFT0JLaHlCU09ZR3ZjSlpKNXJpcFVrSjNVcgpZZzlFMW1QaDNDc0o2Mmx0b3NLbW8vZ1BrUDZITXlSSWdMMFpQY2VzTFVBbHE3Y0FURTBMRXI0azdaYitaeTZxCjNnVDU5eHR1RTE4dkZOVUpBNE90cjJHRVpLajJ6OXFqRUR1clB5L0tHcmF6NWRqQWx6dTJFSy8zU3RxTXRhRnYKRkw1dkxFQmlydmNlR0w1RDVGc0Z5dkhsOEIvWUljTUU4cnUwV2ZRbEhZMjJIdVR0Q0VGSTRtd3Fpek1CcXd2TwptVGdSSDlmTmxaMWZaS20yWWY0bkR3SlJBOWhMQWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJRU3FxMzBlSERJbklFWGpSTnlOb3JDSFpxT3JqQVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQmk1bi9GYUFmaApMTGttNjFtSjBZSlNEN3RTSzUxc2JKcldGc3JvSWwzeEMzZFhnVW16dTFONkh6MGVMQkQ4aUo4ZnlNcllPQ2xkClgyR2Z6ell5azQza3J5OVlicnhDMnZOSU5GdWJjUDdtKzRUWC9ycHFzdmJXRVJTY21MM2o5SmJWaDFBVHZyR2kKVzlOWVM2WGlEay9JRlhYVkthZ091TituT0xvS1FHM1ZwZGdncTdZYnN5V0JDZXZZR1h0VVE0cWNqeDIwUjVxSwo3em1ZdEtCUlVJQTRLdkRlWm1ZeThmUWxmWkNVa2JKY0hxZ0ZiVE5uVU1Bd3ZoWnorOVBIZ2lHSm5rUHQzYXBkCk55bjduQ05MWGs5xxxxxxxxxxxxxxxserver: https://1cccc.cccc.218.119:6443name: developmentcontexts: 
- context:cluster: developmentuser: gitcicd-saname: gitcicd-sa@developmentcurrent-context: gitcicd-sa@developmentkind: Config
preferences: {}
users:
- name: gitcicd-sauser:  token: cccccc4eERERG9WNWxhQnpKczJEQ0V4WXdmbFVMNk9UaVA0aVlEb042XzQifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJqdGtqZGV2Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImdpdGNpY2Qtc2Etc2VjcmV0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImdpdGNpY2Qtc2EiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIxYzE5ZDdlNi0xOGM3LTQ4OGItODE4Ny01ZmVmNjVkOWRjOTkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6anRramRldjpnaXRjaWNkLXNhIn0.l5MAZPAc6w6aGmDIk_1_WqIspjwGhCLjjw1YoI9yebaow_3q1P6eSqjYIKD1_hYX_l4tn03DnUcJrNr8R9KPnfSJbcfuOuZVq9K7mm8j46tAccccccc

    同时添加context相关信息

4、然后使用

   kubectl --kubeconfig config-demo  get pods -n jtkjdev

[root]# kubectl --kubeconfig config-demo  get pods -n jtkjdev
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:jtkjdev:gitcicd-sa" cannot list resource "pods" in API group "" in the namespace "jtkjdev"提示没有权限，因为上面创建的gitcicd-ca用户是没有 获取pods权限的

   kubectl --kubeconfig config-demo  get svc  -n jtkjdev  

由于sa绑定的角色有 svc 的list权限，所以可以查询

 然后通过调整gitlabcicd-sa这个用户的角色内容，就可以很好的控制它的权限