问题:我有一个 Java 模块,该模块位于我本地创建的 Kubernetes 集群外部。我将使用服务帐户而不是 kubeconfig 文件向 API 服务器验证我的 Java 模块。
我尝试过的:我使用 io.kubernetes 库向 API 服务器验证我的 Java 模块
public Auth() throws Exception {
String url = url;
String token =token;
boolean validateSSL = true;
AccessTokenAuthentication authentication = new AccessTokenAuthentication(token);
ApiClient client = ClientBuilder
.standard()
.setBasePath(url)
.setAuthentication(authentication)
.setVerifyingSsl(validateSSL)
.build();
CoreV1Api api = new CoreV1Api(client);
try {
V1PodList podList = api.listPodForAllNamespaces(null, null, null, null, null, null, null, null, null,null);
podList.getItems().forEach(pod -> System.out.println(pod.getMetadata().getName()));
} catch (ApiException e) {
System.err.println("Error: " + e.getResponseBody());
}
}
在此代码中,我已将令牌替换为服务帐户的令牌
kubectl get secret -service-account-token -o=jsonpath='{.data.token}' | base64 --decode
我已经为该服务帐户创建了角色绑定,以便查看集群内的 pod:
kubectl create rolebinding service-account-default \
--clusterrole=view \
--serviceaccount=default:service-account \
--namespace=default
问题是当我执行代码时,我收到此错误:
Error: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
概要如下:
/api/namespaces
NAME="..." # Service Account & Secret
NAMESPACE="..."
# Service Account
kubectl create service-account ${NAME} \
--namespace=${NAMESPACE}
# Secret
echo "
apiVersion: v1
kind: Secret
metadata:
name: \"${NAME}\"
namespace: \"${NAMESPACE}\"
annotations:
kubernetes.io/service-account.name: \"${NAME}\"
type: kubernetes.io/service-account-token
" | kubectl apply --filename=-
# Get Access Token
TOKEN=$(\
kubectl get secret ${NAME} \
--namespace=${NAMESPACE} \
--output=jsonpath='{.data.token}' \
| base64 --decode) \
&& echo ${TOKEN}
# Get API Server endpoint
kubectl cluster-info
API_SERVER="..." # something:16443
# curl it
curl \
--insecure \
--header "Authorization: Bearer ${TOKEN}" \
${API_SERVER}/api/v1/namespaces
如有必要,创建:
ClusterRole
和;ClusterRoleBinding
:echo "
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: \"${NAME}\"
rules:
- apiGroups: [\"\"]
resources: [\"namespaces\"]
verbs: [\"get\", \"list\"]
" | kubectl apply --filename=-
echo "
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: \"${NAME}\"
subjects:
- kind: ServiceAccount
name: \"${NAME}\"
namespace: \"${NAMESPACE}\"
roleRef:
kind: ClusterRole
name: \"${NAME}\"
apiGroup: rbac.authorization.k8s.io
" | kubectl apply --filename=-