• Kubernetes Service Account如何生成Token


    Service Account是运行pods用到的帐号,默认是default。如果apiserver启动配置--admission-control=ServiceAccount,Service Account就要生成Token才能启动pods或者连接apiserver进行操作。下面讲讲如何把默认Service Account(default)生成Token。

    1,生成serviceaccount.key

    openssl genrsa -out ./serviceaccount.key 2048

    2,配置并重启controller-manager

    vi /etc/kubernetes/controller-manager
    KUBE_CONTROLLER_MANAGER_ARGS="--service-account-private-key-file=./serviceaccount.key"

    3,创建secret.json

    {
        "kind": "Secret",
        "apiVersion": "v1",
        "metadata": {
            "name": "default-secret",
            "annotations": {
                "kubernetes.io/service-account.name": "default"
            }
        },
        "type": "kubernetes.io/service-account-token"
    }
    kubectl create -f ./secret.json
    kubectl describe secret default-secret

    执行上面命令生成secret/default-secret

    4,Token生成成功

    kubectl describe secret/default-secret
    Name:         default-secret
    Namespace:    default
    Labels:       <none>
    Annotations:  kubernetes.io/service-account.name=default
                  kubernetes.io/service-account.uid=0267460c-2902-11e8-a221-00163e088d17
    
    Type:  kubernetes.io/service-account-token
    
    Data
    ====
    namespace:  7 bytes
    token:      eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtc2VjcmV0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImRlZmF1bHQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIwMjY3NDYwYy0yOTAyLTExZTgtYTIyMS0wMDE2M2UwODhkMTciLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWZhdWx0In0.UCRU7OnKMC1oaY4vRntWmsKBQasEKBDoGzxNdGdTGqhcO0JV-kOEXjms1h80vvtxPj7930LPkpvXOYnwiST1Z73zf4z7DrKlAYuF-TKwWncJyKbYwskS4nONeAzxpzWJO7YTGnQPZHOwORQ3UMtW5_G12vrB4t43Cig15-6wRLDU4S_evkUh4lQeesAf1Uncy4SuNxHbLdiA1UfFWOf9xNd1BuPpKZ4jOrUQ9El1dYEHdpXrDgV5s6Wp2GWpWtZnb1R-HEtlISAgqwi5tA_ZvQiS0oKFzacxaSzwKOzla4hhkY5B9W8Y62_g5AuMqCff5fDils8HyQE-M7qpNoFbSg

     Token与Service Account关联成功

    # kubectl get Serviceaccount
    NAME      SECRETS   AGE
    default   1         24d

    这配置可以解决创建rc或pod时报错,Error creating: No API token found for service account "default", retry after the token is automatically created and added to the service account

  • 相关阅读:
    Web前端开发工程师编程能力飞升之路
    commonJSAMDCMD
    js正则替换十六进制
    JS获取粘贴内容
    ajax跨域访问总结
    需要坚持,能写出自己满意的内容
    【新年献词】我们是南方周末,我们三十而立
    iOS: 动态更改 backBarButtonItem 的 title
    iOS: 计算 UIWebView 的内容高度
    iOS: 在键盘之上显示一个 View
  • 原文地址:https://www.cnblogs.com/birdstudio/p/8780043.html
Copyright © 2020-2023  润新知