從Kubernetes內的容器訪問Kubernetes API

Question

我在minikube“集群”上啟動了一個pod：

Yaml：

---
kind: ServiceAccount
apiVersion: v1
metadata:
  name: orchestration

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: orchestration
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: orchestration
roleRef:
  kind: ClusterRole
  name: orchestration
  apiGroup: rbac.authorization.k8s.io
subjects:
  - kind: ServiceAccount
    name: orchestration
    namespace: default

---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: orchestration-master
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: orchestration
    spec:
      serviceAccountName: orchestration
      containers:
        - name: orchestration
          image: joan38/orchestration:latest
          ports:
            - name: ui
              containerPort: 8080

---
apiVersion: v1
kind: Service
metadata:
  name: orchestration-ui
spec:
  type: NodePort
  selector:
    app: orchestration
  ports:
    - name: http
      protocol: TCP
      port: 80
      nodePort: 31010
      targetPort: 8080

在Pod上連接： kubectl exec -ti --namespace default myContainer bash
查詢API： curl -k https://kubernetes.default.svc.cluster.local/api/v1
導致Unauthorized

為什么？ 如何認證？

Answer 1

服務帳戶的憑據安裝在/var/run/secrets/kubernetes.io/serviceaccount

curl https://kubernetes.default.svc.cluster.local/api/v1 \
  --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
  -H "Authorization: Bearer $(</var/run/secrets/kubernetes.io/serviceaccount/token)"

從Kubernetes內的容器訪問Kubernetes API

問題描述

1 個解決方案

解決方案1
1 已采納 2017-05-25 14:58:24

從Kubernetes內的容器訪問Kubernetes API

問題描述

1 個解決方案

解決方案1 1 已采納 2017-05-25 14:58:24

解決方案1
1 已采納 2017-05-25 14:58:24