获取 k8s rbac 用户的访问令牌
[英]Get access token for k8s rbac user
问题描述
Having:
有:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: example-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
And rolebinding:和角色绑定:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: example-rolebinding
namespace: default
subjects:
- kind: User
name: example-user
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: example-role
apiGroup: rbac.authorization.k8s.io
How can I get the secret token?如何获得秘密令牌?
token=$(kubectl get secret/$name -o jsonpath='{.data.token}' | base64 --decode)
But there is no secret for the user only the "default-token-xxx".但是对于用户来说没有秘密只有“default-token-xxx”。
Do I need to bind a services account or is the token added to default-token-xxx?我需要绑定服务帐户还是将令牌添加到 default-token-xxx?
1 个解决方案
解决方案1
1 已采纳 2021-05-14 17:27:38
All Kubernetes clusters have two categories of users: service accounts managed by Kubernetes, and normal users, and a third subject: Groups.所有 Kubernetes 集群都有两类用户:由 Kubernetes 管理的服务帐户和普通用户,以及第三个主题:组。 Kubernetes does not have objects (kinds) which represent normal user accounts. Kubernetes 没有代表普通用户帐户的对象(种类)。 Normal users cannot be added to a cluster through an API call.普通用户无法通过 API 调用添加到集群。 Normal users are typically managed or authenticated through integrations with other authentication protocols such as LDAP, SAML, Azure Active Directory, Kerberos, etc. You can leverage an external identity provider like OIDC to authenticate through a token.普通用户通常通过与其他身份验证协议(如 LDAP、SAML、Azure Active Directory、Kerberos 等)集成进行管理或身份验证。您可以利用 OIDC 等外部身份提供商通过令牌进行身份验证。
For Service Accounts, as you've correctly noticed, if you don't explicitly create a Kubernetes Service Account in your namespace, you'll only have access to the default service account, which will be default-token-<hash> .对于服务帐户,正如您正确注意到的那样,如果您没有在命名空间中明确创建Kubernetes 服务帐户,您将只能访问默认服务帐户,即default-token-<hash> 。
A token is not automatically created for a "Normal User", but is automatically created for a Service Account.不会为“普通用户”自动创建令牌,而是为服务帐户自动创建令牌。 Service accounts are users managed by the Kubernetes API.服务帐户是由 Kubernetes API 管理的用户。 They are bound to specific namespaces, and created automatically by the API server or manually through API calls.它们绑定到特定的命名空间,并由 API 服务器自动创建或通过 API 调用手动创建。 Service accounts are tied to a set of credentials stored as Secrets.服务帐户与存储为 Secret 的一组凭据相关联。
Kubernetes uses client certificates, bearer tokens, an authenticating proxy, or HTTP basic auth to authenticate API requests through authentication plugins. Kubernetes 使用客户端证书、承载令牌、身份验证代理或 HTTP 基本身份验证通过身份验证插件对 API 请求进行身份验证。 As HTTP requests are made to the API server, plugins attempt to associate the following attributes with the request:由于向 API 服务器发出 HTTP 请求,插件尝试将以下属性与请求相关联:
- Username: a string which identifies the end user.用户名:标识最终用户的字符串。 Common values might be kube-admin or jane@example.com.常用值可能是 kube-admin 或 jane@example.com。
- UID: a string which identifies the end user and attempts to be more consistent and unique than username. UID:标识最终用户并尝试比用户名更一致和唯一的字符串。
The subject of user authentication is easier answered if we know what the user authentication integration being used is.如果我们知道所使用的用户身份验证集成是什么,则用户身份验证的主题更容易回答。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.