方法一,使用kubectl直接创建serviceaccount
1.创建serviceaccount
bash
kubectl create serviceaccount my-serviceaccount -n test-deploy-ns-20260113171918- 绑定角色
bash
kubectl create clusterrolebinding my-clusterrolebinding --clusterrole=cluster-admin --serviceaccount=test-deploy-ns-20260113171918:my-serviceaccount- 创建Secret
yaml
# sa-token.yaml
apiVersion: v1
kind: Secret
metadata:
name: my-user-token
namespace: test-deploy-ns-20260113171918
annotations:
kubernetes.io/service-account.name: my-serviceaccount
type: kubernetes.io/service-account-token
bash
kubectl apply -f sa-token.yaml- 获取token
bash
kubectl get secret my-user-token -n test-deploy-ns-20260113171918 -o jsonpath='{.data.token}' | base64 --decode或者使用describe
bash
kubectl describe secret my-user-token方法二,使用yaml创建
- 创建serviceaccount my-serviceaccount.yaml
yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-serviceaccount
namespace: default- 创建ClusterRoleBinding my-clusterrolebinding.yaml
yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: my-clusterrolebinding
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: my-serviceaccount
namespace: default- 创建secret my-user-token.yaml
yaml
apiVersion: v1
kind: Secret
metadata:
name: my-user-token
namespace: default
annotations:
kubernetes.io/service-account.name: my-serviceaccount
type: kubernetes.io/service-account-token- apply上述三个yaml
bash
kubectl apply -f my-serviceaccount.yaml
kubectl apply -f my-clusterrolebinding.yaml
kubectl apply -f my-user-token.yaml-
获取token
kubectl describe secret my-user-token
-
打印如下输出,则表示创建成功
Name: my-user-token
Namespace: default
Labels:
Annotations: kubernetes.io/service-account.name: my-serviceaccount
kubernetes.io/service-account.uid: xxxx-xxxxType: kubernetes.io/service-account-token
Data
ca.crt: 1107 bytes
namespace: 7 bytes
token: xxxxxxxxxxxxxxxxxx