k8s 创建token

方法一，使用kubectl直接创建serviceaccount

1.创建serviceaccount

kubectl create serviceaccount my-serviceaccount -n test-deploy-ns-20260113171918

2. 绑定角色

kubectl create clusterrolebinding my-clusterrolebinding --clusterrole=cluster-admin --serviceaccount=test-deploy-ns-20260113171918:my-serviceaccount

3. 创建Secret

# sa-token.yaml
apiVersion: v1
kind: Secret
metadata:
  name: my-user-token
  namespace: test-deploy-ns-20260113171918
  annotations:
    kubernetes.io/service-account.name: my-serviceaccount
type: kubernetes.io/service-account-token

kubectl apply -f sa-token.yaml

5. 获取token

kubectl get secret my-user-token -n test-deploy-ns-20260113171918 -o jsonpath='{.data.token}' | base64 --decode

或者使用describe

kubectl describe secret my-user-token

方法二，使用yaml创建

• 创建serviceaccount my-serviceaccount.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-serviceaccount
  namespace: default

• 创建ClusterRoleBinding my-clusterrolebinding.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: my-clusterrolebinding
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: my-serviceaccount
  namespace: default

• 创建secret my-user-token.yaml

apiVersion: v1
kind: Secret
metadata:
  name: my-user-token
  namespace: default
  annotations:
    kubernetes.io/service-account.name: my-serviceaccount
type: kubernetes.io/service-account-token

• apply上述三个yaml

kubectl apply -f my-serviceaccount.yaml
kubectl apply -f my-clusterrolebinding.yaml
kubectl apply -f my-user-token.yaml

• 获取token

  kubectl describe secret my-user-token

• 打印如下输出，则表示创建成功

  Name: my-user-token
  Namespace: default
  Labels: <none>
  Annotations: kubernetes.io/service-account.name: my-serviceaccount
  kubernetes.io/service-account.uid: xxxx-xxxx

  Type: kubernetes.io/service-account-token

  Data

  ca.crt: 1107 bytes
  namespace: 7 bytes
  token: xxxxxxxxxxxxxxxxxx