K8S - 用service account 登陆kubectl

刚安装好k8s时

我就可以用kubectl 在master server里管理k8s的资源。

这时我们是感觉不到 k8s的用户和权限管理存在的， 但是其实用户的配置都在kubeclt 的配置文件中

/etc/kubernetes/admin.conf 中

我们可以用下命令来查看当前正在用的帐号

root@k8s-master:~/.docker$ kubectl config view --minify --output 'jsonpath={.users[*].name}'
kubernetes-admin

当我们把这个配置复制到另1台机器上， 那么那台机器也可以用kubernetes-admin 来登陆kubectl

参考：
K8S - 用kubectl远程访问内网的k8s集群

但是其实kubernetes-admin 是k8s的一个特殊帐号， 并不是1个service account

本文会介绍如何切换1个service account 去登陆kubectl

创建1个namespace

apiVersion: v1
kind: Namespace
metadata:
  name: my-namespace

创建1个service account

apiVersion: v1
kind: ServiceAccount
metadata:
  name: sa-admin
  namespace: my-namespace

查看被创建的service account

gateman@MoreFine-S500: service-account$ kubectl get sa -n my-namespace
NAME       SECRETS   AGE
default    1         80m
sa-admin   1         23s

获得token

其实当1个service account 被创建时， 1个关于这个service account token 的secret 也会被创建

gateman@MoreFine-S500: clusterolebinding$ kubectl get secret -n my-namespace
NAME                   TYPE                                  DATA   AGE
default-token-gshz4    kubernetes.io/service-account-token   3      94m
sa-admin-token-vrvcv   kubernetes.io/service-account-token   3      14m

这个名字可以用下面命令获取：

gateman@MoreFine-S500: service-account$ kubectl get serviceaccount sa-admin -n my-namespace -o jsonpath='{.secrets[0].name}'
sa-admin-token-vrvcv

用下面命令可以获得token的值

kubectl get secret sa-admin-token-vrvcv -n my-namespace -o jsonpath='{.data.token}' | base64 --decode

查看当前 所使用的kubectl 配置文件位置

gateman@MoreFine-S500: clusterolebinding$ echo $KUBECONFIG
/home/gateman/conf/admin.conf

顺手备份

gateman@MoreFine-S500: clusterolebinding$ cp /home/gateman/conf/admin.conf /home/gateman/conf/k8s-admin.conf

准备配置文件

k8s-sa-admin.conf

apiVersion: v1
kind: Config
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUxxx
    server: https://34.142.35.168:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    namespace: my-namespace
    user: sa-admin
  name: sa-admin@kubernetes
current-context: sa-admin@kubernetes
users:
- name: sa-admin
  user:
    token: eyJhbGciOiJSUzI1NiIsImtpZCI6InRNZFxxxx

其中 cluster 的certificate-authority-data 抄 k8s默认配置那个就行

关键是 contexts 和 user 的配置要改成 我们新service account的， token 在上面介绍过怎么拿到了

使用这个配置文件

很简单 ， 修改KUBECONFIG 环境变量就好

export KUBECONFIG=/home/gateman/conf/k8s-sa-admin.conf

测试

gateman@MoreFine-S500: clusterolebinding$ kubectl get pods
No resources found in my-namespace namespace.

gateman@MoreFine-S500: clusterolebinding$ kubectl get pods --all-namespaces
NAMESPACE       NAME                                         READY   STATUS      RESTARTS         AGE
default         deployment-bq-api-service-6f6ffc7866-58drw   1/1     Running     5 (5d23h ago)    11d
default         deployment-bq-api-service-6f6ffc7866-8djx9   1/1     Running     6 (5d23h ago)    31d
default         deployment-bq-api-service-6f6ffc7866-mxwcq   1/1     Running     16 (5d23h ago)   75d
default         deployment-bq-api-service-6f6ffc7866-x8pl6   1/1     Running     3 (5d23h ago)    11d
default         deployment-cloud-order-5f46d97659-2d7nk      1/1     Running     0                22h
default         deployment-cloud-order-5f46d97659-j7dj8      1/1     Running     0                22h
default         deployment-cloud-order-5f46d97659-w7xlf      1/1     Running     0                22h
default         deployment-fluentd-test-56bd589c6-dptxl      1/1     Running     1 (5d23h ago)    6d
default         dns-test                                     0/1     Completed   0                28d
ingress-nginx   ingress-nginx-controller-72dmb               1/1     Running     17 (5d23h ago)   82d
kube-flannel    kube-flannel-ds-5xtgt                        1/1     Running     24 (5d23h ago)   190d
kube-flannel    kube-flannel-ds-7swr2                        1/1     Running     36 (5d23h ago)   190d
kube-flannel    kube-flannel-ds-jwb9x                        1/1     Running     32 (5d23h ago)   190d
kube-flannel    kube-flannel-ds-tqt98                        1/1     Running     27 (5d23h ago)   183d
kube-system     coredns-64897985d-7bgqz                      1/1     Running     16 (5d23h ago)   79d
kube-system     coredns-64897985d-pzkzx                      1/1     Running     3 (5d23h ago)    11d
kube-system     etcd-k8s-master                              1/1     Running     32 (5d23h ago)   203d
kube-system     kube-apiserver-k8s-master                    1/1     Running     34 (5d23h ago)   203d
kube-system     kube-controller-manager-k8s-master           1/1     Running     32 (5d23h ago)   203d
kube-system     kube-proxy-68qst                             1/1     Running     34 (5d23h ago)   203d
kube-system     kube-proxy-fb5zf                             1/1     Running     26 (5d23h ago)   183d
kube-system     kube-proxy-r5f7w                             1/1     Running     25 (5d23h ago)   203d
kube-system     kube-proxy-rvj7c                             1/1     Running     32 (5d23h ago)   203d
kube-system     kube-scheduler-k8s-master                    1/1     Running     32 (5d23h ago)   203d

gateman@MoreFine-S500: clusterolebinding$ kubectl get nodes
NAME         STATUS   ROLES                  AGE    VERSION
k8s-master   Ready    control-plane,master   203d   v1.23.6
k8s-node0    Ready    <none>                 203d   v1.23.6
k8s-node1    Ready    <none>                 203d   v1.23.6
k8s-node3    Ready    <none>                 183d   v1.23.6

掂！