Kubernetes
[Kubernetes] Cluster 관리자 serviceaccount, token 생성
정윤재
2023. 5. 10. 01:08
아래의 스크립트로 serviceaccount 및 계정에 대한 token 생성이 가능합니다.
#!/bin/bash
ADMIN=k8s-admin
kubectl create serviceaccount $ADMIN -n kube-system
cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: $ADMIN
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: $ADMIN
namespace: kube-system
EOF
TOKEN=$(kubectl -n kube-system get secret $(kubectl -n kube-system get secret | grep $ADMIN-token | awk '{print $1; exit}') -o jsonpath='{.data.token}' | base64 -d)
kubectl config set-credentials $ADMIN --token=$TOKEN
위의 내용에서 생성한 TOKEN 값을 가지고 (TOKEN 변수로 만든 내용을 확인 해보면 보인다.)
~/.kube/config 파일을 아래와 같이 token 으로 접속하도록 하여 client 접속 합니다.
apiVersion: v1
clusters:
- cluster:
insecure-skip-tls-verify: true
certificate-authority-data:
server: https://192.168.101.156:26443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: k8s-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: k8s-admin #위에서 생성한 Service Account 의 이름을 넣어줌
user:
# 위에서 생성한 Service Account 의 Secret 에 있는 Token 값을 넣어줌
token: eyJhbGciOiJSUzI1NiIsImtpZCI6InQ1QTBTVHB2Ml9jLWtoMnNrbF8wdm9RVV9CQnNDZkRCaUR1WEFrWUFlejgifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrOHMtYWRtaW4tdG9rZW4tcDdwMngiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiazhzLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMzZhODhmZmEtYTgzZS00ZGQ3LTlhNDUtNTBhODA4ZTc5NzVlIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOms4cy1hZG1pbiJ9.E30_WGI0sFTAs8IDFjhDFTReCgoe0TdEbTcgx757kLv3-Pp2FKibKi9iF8HCNumk1SXQiDvlaO7bZ7jNNR4DZIVV3aYHYo66n8Pk1B9eXmFUhg_kIHjYwURTnmLXJElwA_Zdeubr5ekCkMRAE2LJpKQHLEtG-kfBWjMtMgYIKn6TKfawLXWUflfejp6WGtu-3_5L34Rs0u7QmcjWW8g929sBu74IDvo-QYlQXwzFL-tIundmABG7Ufjy9uTdeaDMGDOArvhnT6QQ_T0hKvzpXPC2TtV2cxlkNtshoJdEd5YqU_wlohZkvaozG8XeDSp6J-Hiwgc4CnB-1BuojL2sFg
serviceaccount 에 대한 token 을 사용하여 token 유효기간에 대한 고민 없이 api server 에 접속 하여
사용이 가능하다.
정상적인 token 인지 확인 하는 방법은
| curl -k -H "Authorization:Bearer [token]" [API server URL] |
와 같이 실행 했을때 아래와 같이 paths 들이 나오면 된다.
root@k8smaster1:~# curl -k -H "Authorization:Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6InQ1QTBTVHB2Ml9jLWtoMnNrbF8wdm9RVV9CQnNDZkRCaUR1WEFrWUFlejgifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrOHMtYWRtaW4tdG9rZW4tZnc1dGMiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiazhzLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNDlhY2UxMTktMmE4OC00YzUzLWIxYzYtMTI5NDkwM2VmMGY5Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOms4cy1hZG1pbiJ9.miQ86oRdTalL0kcJIZsP53KJDlpvRfyv-o4eCVXfkuC9Otfmp7LLCZ5Ew4oq5idPjRgsXntcyJJancRHX5PscKP6PYS85GJiVLCXg2OyHQN2sim1tEufc8I3KbGLtUPHCsnTPdMwme4819AQ2M6lKZykk8MjmXR0z3ZJ-QnKG8ANAEL6dHdi3zWA48-gDflcEb6tu9QtGzW-lXmNRuzKGj1fU_YxSbJ8y0dr5jFkIwdj8myb8L3jtUXPnotvxc3vEZyGjTG23g7ElGw5U8hoLJAz3ZwklH51kqQiXWmP0kbxbZNbHpoMf2HDIUX_oTX0Yme_KgYtJlBNmSYYvRXhHg" https://192.168.101.156:26443
{
"paths": [
"/.well-known/openid-configuration",
"/api",
"/api/v1",
"/apis",
"/apis/",
"/apis/admissionregistration.k8s.io",
"/apis/admissionregistration.k8s.io/v1",
"/apis/admissionregistration.k8s.io/v1beta1",
"/apis/apiextensions.k8s.io",
"/apis/apiextensions.k8s.io/v1",
"/apis/apiextensions.k8s.io/v1beta1",
"/apis/apiregistration.k8s.io",
"/apis/apiregistration.k8s.io/v1",
"/apis/apiregistration.k8s.io/v1beta1",
"/apis/apps",
"/apis/apps/v1",
"/apis/authentication.k8s.io",
"/apis/authentication.k8s.io/v1",
"/apis/authentication.k8s.io/v1beta1",
"/apis/authorization.k8s.io",
"/apis/authorization.k8s.io/v1",
"/apis/authorization.k8s.io/v1beta1",
"/apis/autoscaling",
"/apis/autoscaling/v1",
"/apis/autoscaling/v2beta1",
"/apis/autoscaling/v2beta2",
"/apis/batch",
"/apis/batch/v1",
"/apis/batch/v1beta1",
"/apis/certificates.k8s.io",
"/apis/certificates.k8s.io/v1",
"/apis/certificates.k8s.io/v1beta1",
"/apis/coordination.k8s.io",
"/apis/coordination.k8s.io/v1",
"/apis/coordination.k8s.io/v1beta1",
"/apis/crd.projectcalico.org",
"/apis/crd.projectcalico.org/v1",
"/apis/discovery.k8s.io",
"/apis/discovery.k8s.io/v1beta1",
"/apis/events.k8s.io",
"/apis/events.k8s.io/v1",
"/apis/events.k8s.io/v1beta1",
"/apis/extensions",
"/apis/extensions/v1beta1",
"/apis/flowcontrol.apiserver.k8s.io",
"/apis/flowcontrol.apiserver.k8s.io/v1beta1",
"/apis/networking.k8s.io",
"/apis/networking.k8s.io/v1",
"/apis/networking.k8s.io/v1beta1",
"/apis/node.k8s.io",
"/apis/node.k8s.io/v1",
"/apis/node.k8s.io/v1beta1",
"/apis/operator.tigera.io",
"/apis/operator.tigera.io/v1",
"/apis/policy",
"/apis/policy/v1beta1",
"/apis/rbac.authorization.k8s.io",
"/apis/rbac.authorization.k8s.io/v1",
"/apis/rbac.authorization.k8s.io/v1beta1",
"/apis/scheduling.k8s.io",
"/apis/scheduling.k8s.io/v1",
"/apis/scheduling.k8s.io/v1beta1",
"/apis/storage.k8s.io",
"/apis/storage.k8s.io/v1",
"/apis/storage.k8s.io/v1beta1",
"/healthz",
"/healthz/autoregister-completion",
"/healthz/etcd",
"/healthz/log",
"/healthz/ping",
"/healthz/poststarthook/aggregator-reload-proxy-client-cert",
"/healthz/poststarthook/apiservice-openapi-controller",
"/healthz/poststarthook/apiservice-registration-controller",
"/healthz/poststarthook/apiservice-status-available-controller",
"/healthz/poststarthook/bootstrap-controller",
"/healthz/poststarthook/crd-informer-synced",
"/healthz/poststarthook/generic-apiserver-start-informers",
"/healthz/poststarthook/kube-apiserver-autoregistration",
"/healthz/poststarthook/priority-and-fairness-config-consumer",
"/healthz/poststarthook/priority-and-fairness-config-producer",
"/healthz/poststarthook/priority-and-fairness-filter",
"/healthz/poststarthook/rbac/bootstrap-roles",
"/healthz/poststarthook/scheduling/bootstrap-system-priority-classes",
"/healthz/poststarthook/start-apiextensions-controllers",
"/healthz/poststarthook/start-apiextensions-informers",
"/healthz/poststarthook/start-cluster-authentication-info-controller",
"/healthz/poststarthook/start-kube-aggregator-informers",
"/healthz/poststarthook/start-kube-apiserver-admission-initializer",
"/livez",
"/livez/autoregister-completion",
"/livez/etcd",
"/livez/log",
"/livez/ping",
"/livez/poststarthook/aggregator-reload-proxy-client-cert",
"/livez/poststarthook/apiservice-openapi-controller",
"/livez/poststarthook/apiservice-registration-controller",
"/livez/poststarthook/apiservice-status-available-controller",
"/livez/poststarthook/bootstrap-controller",
"/livez/poststarthook/crd-informer-synced",
"/livez/poststarthook/generic-apiserver-start-informers",
"/livez/poststarthook/kube-apiserver-autoregistration",
"/livez/poststarthook/priority-and-fairness-config-consumer",
"/livez/poststarthook/priority-and-fairness-config-producer",
"/livez/poststarthook/priority-and-fairness-filter",
"/livez/poststarthook/rbac/bootstrap-roles",
"/livez/poststarthook/scheduling/bootstrap-system-priority-classes",
"/livez/poststarthook/start-apiextensions-controllers",
"/livez/poststarthook/start-apiextensions-informers",
"/livez/poststarthook/start-cluster-authentication-info-controller",
"/livez/poststarthook/start-kube-aggregator-informers",
"/livez/poststarthook/start-kube-apiserver-admission-initializer",
"/logs",
"/metrics",
"/openapi/v2",
"/openid/v1/jwks",
"/readyz",
"/readyz/autoregister-completion",
"/readyz/etcd",
"/readyz/informer-sync",
"/readyz/log",
"/readyz/ping",
"/readyz/poststarthook/aggregator-reload-proxy-client-cert",
"/readyz/poststarthook/apiservice-openapi-controller",
"/readyz/poststarthook/apiservice-registration-controller",
"/readyz/poststarthook/apiservice-status-available-controller",
"/readyz/poststarthook/bootstrap-controller",
"/readyz/poststarthook/crd-informer-synced",
"/readyz/poststarthook/generic-apiserver-start-informers",
"/readyz/poststarthook/kube-apiserver-autoregistration",
"/readyz/poststarthook/priority-and-fairness-config-consumer",
"/readyz/poststarthook/priority-and-fairness-config-producer",
"/readyz/poststarthook/priority-and-fairness-filter",
"/readyz/poststarthook/rbac/bootstrap-roles",
"/readyz/poststarthook/scheduling/bootstrap-system-priority-classes",
"/readyz/poststarthook/start-apiextensions-controllers",
"/readyz/poststarthook/start-apiextensions-informers",
"/readyz/poststarthook/start-cluster-authentication-info-controller",
"/readyz/poststarthook/start-kube-aggregator-informers",
"/readyz/poststarthook/start-kube-apiserver-admission-initializer",
"/readyz/shutdown",
"/version"
]
}