向 Kubernetes API 服务器进行身份验证时出错

问题描述 投票:0回答:1

问题:我有一个 Java 模块,该模块位于我本地创建的 Kubernetes 集群外部。我将使用服务帐户而不是 kubeconfig 文件向 API 服务器验证我的 Java 模块。

我尝试过的:我使用 io.kubernetes 库向 API 服务器验证我的 Java 模块

public Auth() throws Exception {
        String url = url;
        String token =token;
        boolean validateSSL = true;
        AccessTokenAuthentication authentication = new AccessTokenAuthentication(token);
        ApiClient client = ClientBuilder
                            .standard()
                            .setBasePath(url)
                            .setAuthentication(authentication)
                            .setVerifyingSsl(validateSSL)
                            .build();
       CoreV1Api api = new CoreV1Api(client);

        try {
            V1PodList podList = api.listPodForAllNamespaces(null, null, null, null, null, null, null, null, null,null);

            
            podList.getItems().forEach(pod -> System.out.println(pod.getMetadata().getName()));
        } catch (ApiException e) {
            System.err.println("Error: " + e.getResponseBody());
        }
    }

在此代码中,我已将令牌替换为服务帐户的令牌

kubectl get secret -service-account-token -o=jsonpath='{.data.token}' | base64 --decode

我已经为该服务帐户创建了角色绑定,以便查看集群内的 pod:

kubectl create rolebinding service-account-default \
  --clusterrole=view \
  --serviceaccount=default:service-account \
  --namespace=default

问题是当我执行代码时,我收到此错误: 

Error: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}

java kubernetes
1个回答
0
投票

概要如下:

  1. 创建服务帐户
  2. 创建 Secret(引用服务帐户)
  3. 获取访问令牌
  4. 获取 API 服务器的 
    /api/namespaces
NAME="..."      # Service Account & Secret
NAMESPACE="..."

# Service Account
kubectl create service-account ${NAME} \
--namespace=${NAMESPACE}

# Secret
echo "
apiVersion: v1
kind: Secret
metadata:
  name: \"${NAME}\"
  namespace: \"${NAMESPACE}\"
  annotations:
    kubernetes.io/service-account.name: \"${NAME}\"
type: kubernetes.io/service-account-token
" | kubectl apply --filename=-

# Get Access Token
TOKEN=$(\
  kubectl get secret ${NAME} \
  --namespace=${NAMESPACE} \
  --output=jsonpath='{.data.token}' \
  | base64 --decode) \
&& echo ${TOKEN}

# Get API Server endpoint
kubectl cluster-info

API_SERVER="..." # something:16443

# curl it
curl \
--insecure \
--header "Authorization: Bearer ${TOKEN}" \
${API_SERVER}/api/v1/namespaces

如有必要,创建:

  1. ClusterRole
    和;
  2. ClusterRoleBinding
echo "
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: \"${NAME}\"
rules:
- apiGroups: [\"\"] 
  resources: [\"namespaces\"]
  verbs: [\"get\", \"list\"]
" | kubectl apply --filename=-

echo "
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: \"${NAME}\"
subjects:
- kind: ServiceAccount
  name: \"${NAME}\"
  namespace: \"${NAMESPACE}\"
roleRef:
  kind: ClusterRole 
  name: \"${NAME}\"
  apiGroup: rbac.authorization.k8s.io
" | kubectl apply --filename=-
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.