如何使用curl訪問k8s的apiserver
使用TOKEN受權訪問api-server在k8s運維場景中比較常見,bootstrap
apiserver有三種級別的客戶端認證方式api
1,HTTPS證書認證:基於CA根證書籤名的雙向數字證書認證方式app
2,HTTP Token認證:經過一個Token來識別合法用戶運維
3,HTTP Base認證:經過用戶名+密碼的認證方式curl
一般的運維場景使用第二種Token較爲方便Token的權限是關聯service account,ui
# kubectl describe secrets admin-token-2q28f -n kube-system
Name: admin-token-2q28f
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: admin
kubernetes.io/service-account.uid: 93316ffa-7545-11e9-b617-00163e06992d
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1419 bytes
namespace: 11 bytes
token: eyJhbGciOiJ******
Service Account 的權限來自Clusterrolebinding-->ClusterRoleurl
# kubectl describe serviceaccount admin -n kube-system
Name: admin
Namespace: kube-system
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"name":"admin","namespace":"kube-system"}}
Image pull secrets: <none>
Mountable secrets: admin-token-2q28f
Tokens: admin-token-2q28f
Events: <none>
經過clusterrolebinding 能夠拿到ClusterRole對應的rolenamespa
# kubectl get clusterrolebinding admin -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1beta1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"admin"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"cluster-admin"},"subjects":[{"kind":"ServiceAccount","name":"admin","namespace":"kube-system"}]}
creationTimestamp: 2019-05-13T06:08:49Z
name: admin
resourceVersion: "1523"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/admin
uid: 93356439-7545-11e9-b617-00163e06992d
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin
namespace: kube-system
這個role是什麼權限?code
# kubectl get clusterrole cluster-admin -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: 2019-05-13T06:01:10Z
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: cluster-admin
resourceVersion: "55"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-admin
uid: 817e2b9e-7544-11e9-9766-00163e0e34c8
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'
從clusterrole權限來看,admin關聯的權限仍是比較大的,正常的集羣運維中建議根據自身的真實須要,去定製權限。server
瞭解完這些,分享一個小技巧,這樣後面客戶再有curl訪問apiserver的需求,我相信你沒問題了!
# kubectl describe secrets $(kubectl get secrets -n kube-system |grep admin |cut -f1 -d ' ') -n kube-system |grep -E '^token' |cut -f2 -d':'|tr -d '\t'|tr -d ' ' eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi0ycTI4ZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjkzMzE2ZmZhLTc1NDUtMTFlOS1iNjE3LTAwMTYzZTA2OTkyZCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.EQzj2LsWn2k31m-ksn9GmB1bZTi1Xjw1fnmWFgRKlwhS2QAaVnDXfV_TgUovpq5oWKh7h0gTVaNaK4KKK76yAv6GfMehpOdIO5xHCfQAWVRhla1cwUDC64tz7vJ1zGcx_lz4hKfhdXN1T8FYS0B0hf3h2OloAMfCZTzDjRWz24GVwH-WRTEwY_5tav65GiZzBTsnz1vV7NOcx-Kl8AK2HbowtBYqK05x7oOmp84FiQMwpYU-7g0c03h61zev4lvf0e-HFtqKiByPi8gD-uiVRvE-xayOz5oIESWw2GfhzfNf_uyR7eLplCKUBecVMtwVsBauNaeqU-IIJW5VIHAOxw # TOKEN=$(kubectl describe secrets $(kubectl get secrets -n kube-system |grep admin |cut -f1 -d ' ') -n kube-system |grep -E '^token' |cut -f2 -d':'|tr -d '\t'|tr -d ' ') # kubectl config view |grep server|cut -f 2- -d ":" | tr -d " " https://192.168.0.130:6443 # APISERVER=$(kubectl config view |grep server|cut -f 2- -d ":" | tr -d " ")
使用curl訪問apiserver
# curl -H "Authorization: Bearer $TOKEN" $APISERVER/api --insecure
{
"kind": "APIVersions",
"versions": [
"v1"
],
"serverAddressByClientCIDRs": [
{
"clientCIDR": "0.0.0.0/0",
"serverAddress": "192.168.0.130:6443"
}
]
}
原文連接 本文爲雲棲社區原創內容,未經容許不得轉載。
相關文章
- 1. 如何使用curl訪問k8s的apiserver
- 2. openshift 使用curl命令訪問apiserver
- 3. K8S的APISERVER,https訪問
- 4. K8S的APISERVER,應用了HTTPS之後,命令行如何訪問?
- 5. k8s :kube-apiserver 訪問 etcd 後端存儲
- 6. Kubernetes11--Java訪問apiserver
- 7. 使用curl,libcurl訪問Https
- 8. php使用curl訪問https
- 9. 九析帶你用 curl 輕鬆完爆 k8s apiserver
- 10. kubernetes使用http rest api訪問集羣之使用postman工具訪問 apiserver
- 更多相關文章...
- • XSD 如何使用? - XML Schema 教程
- • Swift 訪問控制 - Swift 教程
- • Composer 安裝與使用
- • 使用Rxjava計算圓周率
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. 升級Gradle後報錯Gradle‘s dependency cache may be corrupt (this sometimes occurs
- 2. Smarter, Not Harder
- 3. mac-2019-react-native 本地環境搭建(xcode-11.1和android studio3.5.2中Genymotion2.12.1 和VirtualBox-5.2.34 )
- 4. 查看文件中關鍵字前後幾行的內容
- 5. XXE萌新進階全攻略
- 6. Installation failed due to: ‘Connection refused: connect‘安卓studio端口占用
- 7. zabbix5.0通過agent監控winserve12
- 8. IT行業UI前景、潛力如何?
- 9. Mac Swig 3.0.12 安裝
- 10. Windows上FreeRDP-WebConnect是一個開源HTML5代理,它提供對使用RDP的任何Windows服務器和工作站的Web訪問
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. 如何使用curl訪問k8s的apiserver
- 2. openshift 使用curl命令訪問apiserver
- 3. K8S的APISERVER,https訪問
- 4. K8S的APISERVER,應用了HTTPS之後,命令行如何訪問?
- 5. k8s :kube-apiserver 訪問 etcd 後端存儲
- 6. Kubernetes11--Java訪問apiserver
- 7. 使用curl,libcurl訪問Https
- 8. php使用curl訪問https
- 9. 九析帶你用 curl 輕鬆完爆 k8s apiserver
- 10. kubernetes使用http rest api訪問集羣之使用postman工具訪問 apiserver