-
【kubernetes的基本API操作】
API
每次创建新的namespace,都会生成一个名为default的serviceAccount,同时会生成一个token,名为default-token-xxxxx
sa就相当于该Namespace下的一个账户
查看集群支持的api版本
- [root@ysla manifests]# kubectl api-versions
- admissionregistration.k8s.io/v1
- apiextensions.k8s.io/v1
- apiregistration.k8s.io/v1
- apps/v1
- authentication.k8s.io/v1
- authorization.k8s.io/v1
- autoscaling/v1
- autoscaling/v2
- ......
查看默认 ServiceAccount
- [root@ysla ~]# kubectl get sa
- NAME SECRETS AGE
- default 1 21d
sa即ServiceAccount的缩写
- [root@ysla ~]# kubectl get serviceaccount
- NAME SECRETS AGE
- default 1 21d
ServiceAccount在k8s里账号的概念,下面是更详细的查看,绑定了一个default-token-lbv9p的namespace
- [root@ysla ~]# kubectl get sa default -o yaml
- apiVersion: v1
- kind: ServiceAccount
- metadata:
- creationTimestamp: "2022-03-24T03:01:17Z"
- name: default
- namespace: default
- resourceVersion: "411"
- uid: 58639dbd-7486-4c03-a492-c62f612cca96
- secrets:
- - name: default-token-lbv9p
根据命令查看secrets
- [root@ysla ~]# kubectl get secrets
- NAME TYPE DATA AGE
- default-token-lbv9p kubernetes.io/service-account-token 3 21d
- [root@ysla ~]# kubectl get secrets default-token-lbv9p
- NAME TYPE DATA AGE
- default-token-lbv9p kubernetes.io/service-account-token 3 21d
跟上-oyaml可以根据yaml格式输出,可以看到secrets里边存储了ca证书,其token 存储于 secret 中 ,token里描述了集群里的一些认证信息。可以通过token的权限去调用k8s集群。
- [root@ysla ~]# kubectl get secrets default-token-lbv9p -oyaml
- apiVersion: v1
- data:
- ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1ETXlOREF6TURBME4xb1hEVE15TURNeU1UQXpNREEwTjFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTGJVCkhJL2hNSTBYOWxvVlV2anhqRWhmOTZuYVNUVUpQbVVPdHFnMUNUZ1J4RVpXRDlDbU5YZXZJRGxYQTBRZTBpQXAKcHVndnhHNG14UHMveWRwd3VKU081bllVam9wN2lwMy85VlJNM1g0eU5hMnFJWTdtTUEwRUd3OHpHd3FSK1E3TApDdmIzN1o4bUhhOFRhNGVUOW5JYk1RUXJnRXRWd1UxTVk3ZlB3enJMckRJWDVpL1NxVVJkQWsvNVE2bjM3ZUFvCmhuK0dUeDM0T2I4TXlPZDNRajZhZkt5b21QVWJoSXZjVWNEMk8rUmZBSjdLeCtXU0lHVGtNREM4TU1lL1EvdXUKbll2cm5wWlJ6TUpuSFg5QlVlRzlMWTh0SHhwTnJVQVRiaHNDem9QN213WEUyci8vWStCMDJTYVJIek9kYzc4MApwUmVXblh2M3hqWlZZaEY4ZGJjQ0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZMYXZWdjVsdFd1UzJzbVluZXVsTFptdGhkWmdNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQ0MrN0FhNVJPRkJ5TEN0VjlpbgpSeW5FUytWbUdUYmxzeFZ5Nk5VN1FKM3F0OTdDbTZQVkhBM1hTelBqWkJEbVhyeXAvaFFqeDRjcFFCalZUZ0ZFCnNhMnQvTlNTZVJsRG02eG1NUnZWalUyVllYTUdDeWRmZGhoSjU0QTRyR25mRnJDQ1lpOGcvUjVGZldjb0Zib1gKdjhrUFFadmF5SVJlaXhhQ1pvUFQ3b0M1cXdjRjRucjhoS2NWOWVXMCtJMkVQZGJSSkxBdDVVRDJCaUdKVFhORwo4cHN0Z3RrRWxjWTU3MzZNeDArNTNwRnRXVC92SFJFOE1wUXhqKysxRkloREI4VzNsSjluVm9MYzR3cmlNNE81ClQvOHdOYWh0dHB6QmF6elpTdnNXcERLeEFGcGRza25MdkpWemh2azJ5YkI4eGpoSzlBOXpvc3dJQzNVd0FXYWoKZUpvPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
- namespace: ZGVmYXVsdA==
- token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklrOW9SMHByYTFWVVRGWjZXSFZ4U2pSMWJVUTBORXhLZG1WM01FTXdUa2MzVFhwdFpWSnlZVkJFTkhNaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWldaaGRXeDBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbVJsWm1GMWJIUXRkRzlyWlc0dGJHSjJPWEFpTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxjblpwWTJVdFlXTmpiM1Z1ZEM1dVlXMWxJam9pWkdWbVlYVnNkQ0lzSW10MVltVnlibVYwWlhNdWFXOHZjMlZ5ZG1salpXRmpZMjkxYm5RdmMyVnlkbWxqWlMxaFkyTnZkVzUwTG5WcFpDSTZJalU0TmpNNVpHSmtMVGMwT0RZdE5HTXdNeTFoTkRreUxXTTJNbVkyTVRKalkyRTVOaUlzSW5OMVlpSTZJbk41YzNSbGJUcHpaWEoyYVdObFlXTmpiM1Z1ZERwa1pXWmhkV3gwT21SbFptRjFiSFFpZlEuVHVVVVI1MWdlaEVJSy0zUTEtTzhNWWlBd083NWo1UmVUSUZaU0k0WDdYUFkySnNrUUtLaWZVbVhJUFlvNnZIenFUM054UlNzVWx4d0VGbm9zRzJPVjQ4TWVHZWdIQm5FeTdHdkQwejk3YWs3TFZuZ05NTzB0a3h0NnV6c3N2ZE1vUExRcndWYzNncHNZcjdlcE9KRHE5d1JHQ1A1ZWtOQi1sb0F3TmN0T0RqVEpGS2lTSFNQQjZ4akRLTC1KRDUwZVM2S0FleENiNWRGSUtxQVNqY0pjeG9jekJfeUpMM1cySG9sOGJRbDQwR3RVMVFfQlJnRlViNm1RUkpHR1YwajZIQVNtQ1prZlV2NmRVZXFPZHVTc0VwdmVQMDJXMlJ5Q180b0djY2pTWkpHb3VoR3dQQUVqWEk2Z09UNEctdlZOYXg2LTB5NmhCQ1VQRF85cjdHeG9R
- kind: Secret
- metadata:
- annotations:
- kubernetes.io/service-account.name: default
- kubernetes.io/service-account.uid: 58639dbd-7486-4c03-a492-c62f612cca96
- creationTimestamp: "2022-03-24T03:01:17Z"
- name: default-token-lbv9p
- namespace: default
- resourceVersion: "408"
- uid: 84e7efe6-6841-436e-a6b7-0cca69d29f0b
- type: kubernetes.io/service-account-token
赋予 ServiceAccount 权限
使用如下命令给该用户分配该Namespace的管理员权限,赋予 ServiceAccount 权限
- kubectl create rolebinding admin --clusterrole=admin -- serviceacount=default:default --namespace=default
- rolebinding.rbac.authorization.k8s.io/admin created
获取ServiceAccount的token
- [root@ysla ~]# TOKEN=$(kubectl describe secret $(kubectl get secrets | grep default | cut -f1 -d ' ')| grep -E '^token' | cut -f2 -d':' |tr -d ' ')
- [root@ysla ~]# echo $TOKEN
- eyJhbGciOiJSUzI1NiIsImtpZCI6Ik9oR0pra1VUTFZ6WHVxSjR1bUQ0NExKdmV3MEMwTkc3TXptZVJyYVBENHMifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tbGJ2OXAiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjU4NjM5ZGJkLTc0ODYtNGMwMy1hNDkyLWM2MmY2MTJjY2E5NiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.TuUUR51gehEIK-3Q1-O8MYiAwO75j5ReTIFZSI4X7XPY2JskQKKifUmXIPYo6vHzqT3NxRSsUlxwEFnosG2OV48MeGegHBnEy7GvD0z97ak7LVngNMO0tkxt6uzssvdMoPLQrwVc3gpsYr7epOJDq9wRGCP5ekNB-loAwNctODjTJFKiSHSPB6xjDKL-JD50eS6KAexCb5dFIKqASjcJcxoczB_yJL3W2Hol8bQl40GtU1Q_BRgFUb6mQRJGGV0j6HASmCZkfUv6dUeqOduSsEpveP02W2RyC_4oGccjSZJGouhGwPAEjXI6gOT4G-vVNax6-0y6hBCUPD_9r7GxoQ
获取apiserver地址
获取apiserver地址 ,它默认监听在6443端口
- [root@ysla ~]# APISERVER=$(kubectl config view | grep https | cut -f 2- -d ":" | tr -d " ")
- [root@ysla ~]# echo $APISERVER
- https://172.20.10.3:6443
- [root@ysla ~]# ss -lnp | grep 6443
- tcp LISTEN 0 128 :::6443 :::* users:(("kube-apiserver",pid=18142,fd=7))
通过 api 获取该 Namespace 下 Pod 资源对象 (json格式输出)
正常情况下会输出 403 Forbidden 错误,提示 SA 没有权限
- [root@ysla ~]# curl $APISERVER/api/v1/namespaces/default/pods --header "Authorization:Bearer $TOKEN" --insecure
- {
- "kind": "Status",
- "apiVersion": "v1",
- "metadata": {},
- "status": "Failure",
- "message": "pods is forbidden: User \"system:serviceaccount:default:default\" cannot list resource \"pods\" in API group \"\" in the namespace \"default\"",
- "reason": "Forbidden",
- "details": {
- "kind": "pods"
- },
- "code": 403
显示k8s集群中的所有api资源信息
- [root@ysla ~]# kubectl api-resources
- NAME SHORTNAMES APIVERSION NAMESPACED KIND
- bindings v1 true Binding
- componentstatuses cs v1 false ComponentStatus
- configmaps cm v1 true ConfigMap
- endpoints ep v1 true Endpoints
- events ev v1 true Event
- limitranges limits v1 true LimitRange
- namespaces ns v1 false Namespace
- nodes no v1 false Node
- persistentvolumeclaims pvc v1 true PersistentVolumeClaim
- persistentvolumes pv v1 false PersistentVolume
- pods po v1 true Pod
- podtemplates v1 true PodTemplate
- replicationcontrollers rc v1 true ReplicationController
- resourcequotas quota v1 true ResourceQuota
- secrets v1 true Secret
- serviceaccounts sa v1 true ServiceAccount
- services svc v1 true Service
- mutatingwebhookconfigurations admissionregistration.k8s.io/v1 false MutatingWebhookConfiguration
- validatingwebhookconfigurations admissionregistration.k8s.io/v1 false ValidatingWebhookConfiguration
- customresourcedefinitions crd,crds apiextensions.k8s.io/v1 false CustomResourceDefinition
- apiservices apiregistration.k8s.io/v1 false APIService
- controllerrevisions apps/v1 true ControllerRevision
- daemonsets ds apps/v1 true DaemonSet
- deployments deploy apps/v1 true Deployment
- replicasets rs apps/v1 true ReplicaSet
- statefulsets sts apps/v1 true StatefulSet
- tokenreviews authentication.k8s.io/v1 false TokenReview
- localsubjectaccessreviews authorization.k8s.io/v1 true LocalSubjectAccessReview
- selfsubjectaccessreviews authorization.k8s.io/v1 false SelfSubjectAccessReview
- selfsubjectrulesreviews authorization.k8s.io/v1 false SelfSubjectRulesReview
- subjectaccessreviews authorization.k8s.io/v1 false SubjectAccessReview
- horizontalpodautoscalers hpa autoscaling/v2 true HorizontalPodAutoscaler
- cronjobs cj batch/v1 true CronJob
- jobs batch/v1 true Job
- certificatesigningrequests csr certificates.k8s.io/v1 false CertificateSigningRequest
- leases coordination.k8s.io/v1 true Lease
- endpointslices discovery.k8s.io/v1 true EndpointSlice
- events ev events.k8s.io/v1 true Event
- flowschemas flowcontrol.apiserver.k8s.io/v1beta2 false FlowSchema
- prioritylevelconfigurations flowcontrol.apiserver.k8s.io/v1beta2 false PriorityLevelConfiguration
- ingressclasses networking.k8s.io/v1 false IngressClass
- ingresses ing networking.k8s.io/v1 true Ingress
- networkpolicies netpol networking.k8s.io/v1 true NetworkPolicy
- runtimeclasses node.k8s.io/v1 false RuntimeClass
- poddisruptionbudgets pdb policy/v1 true PodDisruptionBudget
- podsecuritypolicies psp policy/v1beta1 false PodSecurityPolicy
- clusterrolebindings rbac.authorization.k8s.io/v1 false ClusterRoleBinding
- clusterroles rbac.authorization.k8s.io/v1 false ClusterRole
- rolebindings rbac.authorization.k8s.io/v1 true RoleBinding
- roles rbac.authorization.k8s.io/v1 true Role
- priorityclasses pc scheduling.k8s.io/v1 false PriorityClass
- csidrivers storage.k8s.io/v1 false CSIDriver
- csinodes storage.k8s.io/v1 false CSINode
- csistoragecapacities storage.k8s.io/v1beta1 true CSIStorageCapacity
- storageclasses sc storage.k8s.io/v1 false StorageClass
- volumeattachments storage.k8s.io/v1 false VolumeAttachment
-
相关阅读:
数商云采购系统解决方案 | 建筑工程行业采购管理之招标业务场景应用
中级深入--day16
十一、python实现单例模式
关系抽取(二)远程监督方法总结
【动态规划——子序列】
图片转excel表格怎么弄?有何密笈?
从RabbitMQ平滑迁移到RocketMQ技术实战
MySQL绕过WAF实战技巧
猿创征文 | 国产数据库TiDB相关知识介绍
Selenium自动化测试实战之自动化测试基础
- 原文地址:https://blog.csdn.net/weixin_47308871/article/details/126652039
