{"id":1467,"date":"2022-04-12T16:41:35","date_gmt":"2022-04-12T08:41:35","guid":{"rendered":"https:\/\/www.buyao007.icu\/?p=1467"},"modified":"2022-04-25T17:09:52","modified_gmt":"2022-04-25T09:09:52","slug":"12-k8s%e7%9a%84rbac%e9%89%b4%e6%9d%83%e7%ad%96%e7%95%a5","status":"publish","type":"post","link":"https:\/\/www.buyao007.icu\/?p=1467","title":{"rendered":"12.K8S\u7684rbac\u9274\u6743\u7b56\u7565"},"content":{"rendered":"\n

\u5b59\u5bcc\u9633\uff0c \u6c5f\u6e56\u4eba\u79f0\u6ca1\u4eba\u79f0\u3002\u591a\u5e74\u4e92\u8054\u7f51\u8fd0\u7ef4\u5de5\u4f5c\u7ecf\u9a8c\uff0c\u66fe\u8d1f\u8d23\u8fc7\u5b59\u5e03\u65af\u5927\u89c4\u6a21\u96c6\u7fa4\u67b6\u6784\u81ea\u52a8\u5316\u8fd0\u7ef4\u7ba1\u7406\u5de5\u4f5c\u3002\u64c5\u957fWeb\u96c6\u7fa4\u67b6\u6784\u4e0e\u81ea\u52a8\u5316\u8fd0\u7ef4\uff0c\u66fe\u8d1f\u8d23\u56fd\u5185\u67d0\u5927\u578b\u535a\u5ba2\u7f51\u7ad9\u8fd0\u7ef4\u5de5\u4f5c\u3002<\/p>\n\n\n\n

1.rbac\u9274\u6743\u6982\u8ff0<\/h2>\n\n\n\n
\u57fa\u4e8e\u89d2\u8272\uff08Role\uff09\u7684\u8bbf\u95ee\u63a7\u5236\uff08RBAC\uff09\u662f\u4e00\u79cd\u57fa\u4e8e\u7ec4\u7ec7\u4e2d\u7528\u6237\u7684\u89d2\u8272\u6765\u8c03\u8282\u63a7\u5236\u5bf9 \u8ba1\u7b97\u673a\u6216\u7f51\u7edc\u8d44\u6e90\u7684\u8bbf\u95ee\u7684\u65b9\u6cd5\u3002\nRBAC \u9274\u6743\u673a\u5236\u4f7f\u7528 rbac.authorization.k8s.io API \u7ec4 \u6765\u9a71\u52a8\u9274\u6743\u51b3\u5b9a\uff0c\u5141\u8bb8\u4f60\u901a\u8fc7 Kubernetes API \u52a8\u6001\u914d\u7f6e\u7b56\u7565\u3002\n\u8981\u542f\u7528 RBAC\uff0c\u5728\u542f\u52a8 API \u670d\u52a1\u5668 \u65f6\u5c06 --authorization-mode \u53c2\u6570\u8bbe\u7f6e\u4e3a\u4e00\u4e2a\u9017\u53f7\u5206\u9694\u7684\u5217\u8868\u5e76\u786e\u4fdd\u5176\u4e2d\u5305\u542b RBAC\u3002\nkube-apiserver --authorization-mode=Example,RBAC --<\u5176\u4ed6\u9009\u9879> --<\u5176\u4ed6\u9009\u9879>\nRBAC API\u58f0\u660e\u4e86\u56db\u79cdKubernetes\u5bf9\u8c61\uff1aRole\u3001ClusterRole\u3001RoleBinding\u548cClusterRoleBinding<\/strong>\u3002\u4f60\u53ef\u4ee5\u50cf\u4f7f\u7528\u5176\u4ed6Kubernetes\u5bf9\u8c61\u4e00\u6837\uff0c\u901a\u8fc7\u7c7b\u4f3ckubectl\u8fd9\u7c7b\u5de5\u5177\u63cf\u8ff0\u5bf9\u8c61,\u6216\u4fee\u8865\u5bf9\u8c61\u3002\n\u63a8\u8350\u9605\u8bfb\uff1a\nhttps://kubernetes.io\/zh\/docs\/reference\/access-authn-authz\/rbac\/https:\/\/kubernetes.io\/zh\/docs\/reference\/access-authn-authz\/rbac\/\n<\/code><\/pre>\n\n\n\n
2.Role \u548c ClusterRole<\/h2>\n\n\n\n
1.Role\u793a\u4f8b<\/em><\/strong><\/p>\n\n\n\n
\u4e0b\u9762\u662f\u4e00\u4e2a\u4f4d\u4e8e\"default\"\u547d\u540d\u7a7a\u95f4\u7684Role\u7684\u793a\u4f8b\uff0c\u53ef\u7528\u6765\u6388\u4e88\u5bf9pods\u7684\u8bfb\u8bbf\u95ee\u6743\u9650\napiVersion: rbac.authorization.k8s.io\/v1\nkind: Role\nmetadata:\n  namespace: default\n  name: pod-reader\nrules:\n- apiGroups: [\"\"] # \"\" ###\u6807\u660e core API \u7ec4\n  resources: [\"pods\"] ###\u6807\u660e\u8d44\u6e90\u4e3apod\n  verbs: [\"get\", \"watch\", \"list\"] ###\u6807\u660e\u62e5\u6709\u7684\u6743\u9650\n<\/code><\/pre>\n\n\n\n
2.clusterRole\u793a\u4f8b<\/em><\/strong><\/p>\n\n\n\n
ClusterRole \u53ef\u4ee5\u548c Role \u76f8\u540c\u5b8c\u6210\u6388\u6743\u3002\u56e0\u4e3aClusterRole\u5c5e\u4e8e\u96c6\u7fa4\u5168\u5c40\u8303\u56f4\uff0c\u6240\u4ee5\u5b83\u4e5f\u53ef\u4ee5\u4e3a\u4ee5\u4e0b\u8d44\u6e90\u6388\u4e88\u8bbf\u95ee\u6743\u9650\uff1a\n\u96c6\u7fa4\u8303\u56f4\u8d44\u6e90\uff08\u6bd4\u5982 \u8282\u70b9\uff08Node\uff09\uff09\n\u975e\u8d44\u6e90\u7aef\u70b9\uff08\u6bd4\u5982 \/healthz\uff09\n\u8de8\u540d\u5b57\u7a7a\u95f4\u8bbf\u95ee\u7684\u540d\u5b57\u7a7a\u95f4\u4f5c\u7528\u57df\u7684\u8d44\u6e90\uff08\u5982 Pods\uff09\n\u6bd4\u5982\uff0c\u4f60\u53ef\u4ee5\u4f7f\u7528ClusterRole\u6765\u5141\u8bb8\u67d0\u7279\u5b9a\u7528\u6237\u6267\u884c kubectl get pods --all-namespaces\n\u4e0b\u9762\u662f\u4e00\u4e2a ClusterRole \u7684\u793a\u4f8b<\/strong>\uff0c\u53ef\u7528\u6765\u4e3a\u4efb\u4e00\u7279\u5b9a\u540d\u5b57\u7a7a\u95f4\u4e2d\u7684 Secret \u6388\u4e88\u8bfb\u8bbf\u95ee\u6743\u9650\uff0c \u6216\u8005\u8de8\u540d\u5b57\u7a7a\u95f4\u7684\u8bbf\u95ee\u6743\u9650\uff08\u53d6\u51b3\u4e8e\u8be5\u89d2\u8272\u662f\u5982\u4f55\u7ed1\u5b9a\u7684\uff09\uff1a\napiVersion: rbac.authorization.k8s.io\/v1\nkind: ClusterRole\nmetadata:\n  # \"namespace\" \u88ab\u5ffd\u7565\uff0c\u56e0\u4e3a ClusterRoles \u4e0d\u53d7\u540d\u5b57\u7a7a\u95f4\u9650\u5236\n  name: secret-reader\nrules:\n- apiGroups: [\"\"]\n  # \u5728 HTTP \u5c42\u9762\uff0c\u7528\u6765\u8bbf\u95ee Secret \u5bf9\u8c61\u7684\u8d44\u6e90\u7684\u540d\u79f0\u4e3a \"secrets\"\n  resources: [\"secrets\"]\n  verbs: [\"get\", \"watch\", \"list\"]\n<\/code><\/pre>\n\n\n\n
3.RoleBinding \u548c ClusterRoleBinding<\/h2>\n\n\n\n
1.\u6982\u8ff0<\/em><\/strong><\/p>\n\n\n\n
    \u89d2\u8272\u7ed1\u5b9a\uff08Role Binding\uff09\u662f\u5c06\u89d2\u8272\u4e2d\u5b9a\u4e49\u7684\u6743\u9650\u8d4b\u4e88\u4e00\u4e2a\u6216\u8005\u4e00\u7ec4\u7528\u6237\u3002 \u5b83\u5305\u542b\u82e5\u5e72 \u4e3b\u4f53\uff08\u7528\u6237\u3001\u7ec4\u6216\u670d\u52a1\u8d26\u6237\uff09\u7684\u5217\u8868\u548c\u5bf9\u8fd9\u4e9b\u4e3b\u4f53\u6240\u83b7\u5f97\u7684\u89d2\u8272\u7684\u5f15\u7528\u3002 RoleBinding \u5728\u6307\u5b9a\u7684\u540d\u5b57\u7a7a\u95f4\u4e2d\u6267\u884c\u6388\u6743\uff0c\u800c ClusterRoleBinding \u5728\u96c6\u7fa4\u8303\u56f4\u6267\u884c\u6388\u6743\u3002\n    \u4e00\u4e2a RoleBinding \u53ef\u4ee5\u5f15\u7528\u540c\u4e00\u7684\u540d\u5b57\u7a7a\u95f4\u4e2d\u7684\u4efb\u4f55 Role\u3002 \u6216\u8005\uff0c\u4e00\u4e2a RoleBinding \u53ef\u4ee5\u5f15\u7528\u67d0 ClusterRole \u5e76\u5c06\u8be5 ClusterRole \u7ed1\u5b9a\u5230 RoleBinding \u6240\u5728\u7684\u540d\u5b57\u7a7a\u95f4\u3002 \u5982\u679c\u4f60\u5e0c\u671b\u5c06\u67d0 ClusterRole \u7ed1\u5b9a\u5230\u96c6\u7fa4\u4e2d\u6240\u6709\u540d\u5b57\u7a7a\u95f4\uff0c\u4f60\u8981\u4f7f\u7528 ClusterRoleBinding\u3002\n<\/code><\/pre>\n\n\n\n
2.RoleBinding \u793a\u4f8b<\/em><\/strong><\/p>\n\n\n\n
\u4e0b\u9762\u7684\u4f8b\u5b50\u4e2d\u7684 RoleBinding \u5c06 \"pod-reader\" Role \u6388\u4e88\u5728 \"default\" \u540d\u5b57\u7a7a\u95f4\u4e2d\u7684\u7528\u6237 \"jane\"\u3002 \u8fd9\u6837\uff0c\u7528\u6237 \"jane\" \u5c31\u5177\u6709\u4e86\u8bfb\u53d6 \"default\" \u540d\u5b57\u7a7a\u95f4\u4e2d pods \u7684\u6743\u9650\u3002\n\napiVersion: rbac.authorization.k8s.io\/v1\n# \u6b64\u89d2\u8272\u7ed1\u5b9a\u5141\u8bb8 \"jane\" \u8bfb\u53d6 \"default\" \u540d\u5b57\u7a7a\u95f4\u4e2d\u7684 Pods<\/strong>\nkind: RoleBinding\nmetadata:\n  name: read-pods\n  namespace: default\nsubjects:\n# \u4f60\u53ef\u4ee5\u6307\u5b9a\u4e0d\u6b62\u4e00\u4e2a\u201csubject\uff08\u4e3b\u4f53\uff09\u201d\n- kind: User\n  name: jane # \"name\" \u662f\u533a\u5206\u5927\u5c0f\u5199\u7684\n  apiGroup: rbac.authorization.k8s.io\nroleRef:\n  # \"roleRef\" \u6307\u5b9a\u4e0e\u67d0 Role \u6216 ClusterRole \u7684\u7ed1\u5b9a\u5173\u7cfb\n  kind: Role # \u6b64\u5b57\u6bb5\u5fc5\u987b\u662f Role \u6216 ClusterRole\n  name: pod-reader     # \u6b64\u5b57\u6bb5\u5fc5\u987b\u4e0e\u4f60\u8981\u7ed1\u5b9a\u7684 Role \u6216 ClusterRole \u7684\u540d\u79f0\u5339\u914d\n  apiGroup: rbac.authorization.k8s.io\nRoleBinding \u4e5f\u53ef\u4ee5\u5f15\u7528 ClusterRole\uff0c\u4ee5\u5c06\u5bf9\u5e94 ClusterRole \u4e2d\u5b9a\u4e49\u7684\u8bbf\u95ee\u6743\u9650\u6388\u4e88 RoleBinding \u6240\u5728\u540d\u5b57\u7a7a\u95f4\u7684\u8d44\u6e90\u3002\u8fd9\u79cd\u5f15\u7528\u4f7f\u5f97\u4f60\u53ef\u4ee5\u8de8\u6574\u4e2a\u96c6\u7fa4\u5b9a\u4e49\u4e00\u7ec4\u901a\u7528\u7684\u89d2\u8272\uff0c \u4e4b\u540e\u5728\u591a\u4e2a\u540d\u5b57\u7a7a\u95f4\u4e2d\u590d\u7528\u3002\n\u4f8b\u5982\uff0c\u5c3d\u7ba1\u4e0b\u9762\u7684 RoleBinding \u5f15\u7528\u7684\u662f\u4e00\u4e2a ClusterRole\uff0c\"dave\"\uff08\u8fd9\u91cc\u7684\u4e3b\u4f53\uff0c \u533a\u5206\u5927\u5c0f\u5199\uff09\u53ea\u80fd\u8bbf\u95ee \"development\" \u540d\u5b57\u7a7a\u95f4\u4e2d\u7684 Secrets \u5bf9\u8c61\uff0c\u56e0\u4e3a RoleBinding \u6240\u5728\u7684\u540d\u5b57\u7a7a\u95f4\uff08\u7531\u5176 metadata \u51b3\u5b9a\uff09\u662f \"development\"\u3002\napiVersion: rbac.authorization.k8s.io\/v1\n# \u6b64\u89d2\u8272\u7ed1\u5b9a\u4f7f\u5f97\u7528\u6237 \"dave\" \u80fd\u591f\u8bfb\u53d6 \"development\" \u540d\u5b57\u7a7a\u95f4\u4e2d\u7684 Secrets<\/strong>\n# \u4f60\u9700\u8981\u4e00\u4e2a\u540d\u4e3a \"secret-reader\" \u7684 ClusterRole\nkind: RoleBinding\nmetadata:\n  name: read-secrets\n  # RoleBinding \u7684\u540d\u5b57\u7a7a\u95f4\u51b3\u5b9a\u4e86\u8bbf\u95ee\u6743\u9650\u7684\u6388\u4e88\u8303\u56f4\u3002\n  # \u8fd9\u91cc\u9690\u542b\u6388\u6743\u4ec5\u5728 \"development\" \u540d\u5b57\u7a7a\u95f4\u5185\u7684\u8bbf\u95ee\u6743\u9650\u3002\n  namespace: development\nsubjects:\n- kind: User\n  name: dave # 'name' \u662f\u533a\u5206\u5927\u5c0f\u5199\u7684\n  apiGroup: rbac.authorization.k8s.io\nroleRef:\n  kind: ClusterRole\n  name: secret-reader\n  apiGroup: rbac.authorization.k8s.io\n<\/code><\/pre>\n\n\n\n
3.ClusterRoleBinding \u793a\u4f8b<\/em><\/strong><\/p>\n\n\n\n
\u8981\u8de8\u6574\u4e2a\u96c6\u7fa4\u5b8c\u6210\u8bbf\u95ee\u6743\u9650\u7684\u6388\u4e88\uff0c\u4f60\u53ef\u4ee5\u4f7f\u7528\u4e00\u4e2a ClusterRoleBinding\u3002 \u4e0b\u9762\u7684 ClusterRoleBinding \u5141\u8bb8 \"manager\" \u7ec4\u5185\u7684\u6240\u6709\u7528\u6237\u8bbf\u95ee\u4efb\u4f55\u540d\u5b57\u7a7a\u95f4\u4e2d\u7684 Secrets\u3002\n\napiVersion: rbac.authorization.k8s.io\/v1\n# \u6b64\u96c6\u7fa4\u89d2\u8272\u7ed1\u5b9a\u5141\u8bb8 \u201cmanager\u201d \u7ec4\u4e2d\u7684\u4efb\u4f55\u4eba\u8bbf\u95ee\u4efb\u4f55\u540d\u5b57\u7a7a\u95f4\u4e2d\u7684 secrets\nkind: ClusterRoleBinding\nmetadata:\n  name: read-secrets-global\nsubjects:\n- kind: Group\n  name: manager # 'name' \u662f\u533a\u5206\u5927\u5c0f\u5199\u7684\n  apiGroup: rbac.authorization.k8s.io\nroleRef:\n  kind: ClusterRole\n  name: secret-reader\n  apiGroup: rbac.authorization.k8s.io\n\u521b\u5efa\u4e86\u7ed1\u5b9a\u4e4b\u540e\uff0c\u4f60\u4e0d\u80fd\u518d\u4fee\u6539\u7ed1\u5b9a\u5bf9\u8c61\u6240\u5f15\u7528\u7684 Role \u6216 ClusterRole\u3002 \u8bd5\u56fe\u6539\u53d8\u7ed1\u5b9a\u5bf9\u8c61\u7684 roleRef \u5c06\u5bfc\u81f4\u5408\u6cd5\u6027\u68c0\u67e5\u9519\u8bef\u3002 \u5982\u679c\u4f60\u60f3\u8981\u6539\u53d8\u73b0\u6709\u7ed1\u5b9a\u5bf9\u8c61\u4e2d roleRef \u5b57\u6bb5\u7684\u5185\u5bb9\uff0c\u5fc5\u987b\u5220\u9664\u91cd\u65b0\u521b\u5efa\u7ed1\u5b9a\u5bf9\u8c61\u3002\n\u8fd9\u79cd\u9650\u5236\u6709\u4e24\u4e2a\u4e3b\u8981\u539f\u56e0\uff1a\n\u9488\u5bf9\u4e0d\u540c\u89d2\u8272\u7684\u7ed1\u5b9a\u662f\u5b8c\u5168\u4e0d\u4e00\u6837\u7684\u7ed1\u5b9a\u3002\u8981\u6c42\u901a\u8fc7\u5220\u9664\/\u91cd\u5efa\u7ed1\u5b9a\u6765\u66f4\u6539 roleRef, \u8fd9\u6837\u53ef\u4ee5\u786e\u4fdd\u8981\u8d4b\u4e88\u7ed1\u5b9a\u7684\u6240\u6709\u4e3b\u4f53\u4f1a\u88ab\u6388\u4e88\u65b0\u7684\u89d2\u8272\uff08\u800c\u4e0d\u662f\u5728\u5141\u8bb8\u6216\u8005\u4e0d\u5c0f\u5fc3\u4fee\u6539 \u4e86 roleRef \u7684\u60c5\u51b5\u4e0b\u5bfc\u81f4\u6240\u6709\u73b0\u6709\u4e3b\u4f53\u672a\u7ecf\u9a8c\u8bc1\u5373\u88ab\u6388\u4e88\u65b0\u89d2\u8272\u5bf9\u5e94\u7684\u6743\u9650\uff09\u3002\n\u5c06 roleRef \u8bbe\u7f6e\u4e3a\u4e0d\u53ef\u4ee5\u6539\u53d8\uff0c\u8fd9\u4f7f\u5f97\u53ef\u4ee5\u4e3a\u7528\u6237\u6388\u4e88\u5bf9\u73b0\u6709\u7ed1\u5b9a\u5bf9\u8c61\u7684 update \u6743\u9650\uff0c \u8fd9\u6837\u53ef\u4ee5\u8ba9\u4ed6\u4eec\u7ba1\u7406\u4e3b\u4f53\u5217\u8868\uff0c\u540c\u65f6\u4e0d\u80fd\u66f4\u6539\u88ab\u6388\u4e88\u8fd9\u4e9b\u4e3b\u4f53\u7684\u89d2\u8272\u3002\n\u547d\u4ee4 kubectl auth reconcile \u53ef\u4ee5\u521b\u5efa\u6216\u8005\u66f4\u65b0\u5305\u542b RBAC \u5bf9\u8c61\u7684\u6e05\u5355\u6587\u4ef6\uff0c \u5e76\u4e14\u5728\u5fc5\u8981\u7684\u60c5\u51b5\u4e0b\u5220\u9664\u548c\u91cd\u65b0\u521b\u5efa\u7ed1\u5b9a\u5bf9\u8c61\uff0c\u4ee5\u6539\u53d8\u6240\u5f15\u7528\u7684\u89d2\u8272\u3002\n<\/code><\/pre>\n\n\n\n
4.pod\u4f7f\u7528rbac\u7b56\u7565leBinding<\/h2>\n\n\n\n
1.\u521b\u5efasa\u8d26\u53f7<\/em><\/strong><\/p>\n\n\n\n
apiVersion: v1\nkind: ServiceAccount\nmetadata:\n  name: coredns\n  namespace: kube-system\n  labels:\n      kubernetes.io\/cluster-service: \"true\"\n      addonmanager.kubernetes.io\/mode: Reconcile\n<\/code><\/pre>\n\n\n\n
2.\u521b\u5efacluster\u89c4\u5219<\/em><\/strong><\/p>\n\n\n\n
apiVersion: rbac.authorization.k8s.io\/v1\nkind: ClusterRole\nmetadata:\n  labels:\n    kubernetes.io\/bootstrapping: rbac-defaults\n    addonmanager.kubernetes.io\/mode: Reconcile\n  name: system:coredns\nrules:\n- apiGroups:\n  - \"\"\n  resources:\n  - endpoints\n  - services\n  - pods\n  - namespaces\n  verbs:\n  - list\n  - watch\n- apiGroups:\n  - \"\"\n  resources:\n  - nodes\n  verbs:\n  - get\n<\/code><\/pre>\n\n\n\n
3.clusterRoleBinding\u7ed1\u5b9a\u89c4\u5219<\/em><\/strong><\/p>\n\n\n\n
apiVersion: rbac.authorization.k8s.io\/v1\nkind: ClusterRoleBinding\nmetadata:\n  annotations:\n    rbac.authorization.kubernetes.io\/autoupdate: \"true\"\n  labels:\n    kubernetes.io\/bootstrapping: rbac-defaults\n    addonmanager.kubernetes.io\/mode: EnsureExists\n  name: system:coredns\nroleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: ClusterRole\n  name: system:coredns\nsubjects:\n- kind: ServiceAccount\n  name: coredns\n  namespace: kube-system\n<\/code><\/pre>\n\n\n\n
4.deployment\u5f15\u7528sa\u8d26\u53f7<\/em><\/strong><\/p>\n\n\n\n
apiVersion: apps\/v1\nkind: Deployment\nmetadata:\n  name: coredns\n  namespace: kube-system\n  labels:\n    k8s-app: kube-dns\n    kubernetes.io\/cluster-service: \"true\"\n    addonmanager.kubernetes.io\/mode: Reconcile\n    kubernetes.io\/name: \"CoreDNS\"\nspec:\n  selector:\n    matchLabels:\n      k8s-app: kube-dns\n  template:\n    metadata:\n      labels:\n        k8s-app: kube-dns\n    spec:\n      serviceAccountName: coredns ###\u6307\u5b9asa\u7684\u540d\u5b57\n      tolerations:\n        - key: \"CriticalAddonsOnly\"\n          operator: \"Exists\"\n      containers:\n      - name: coredns\n        image: nginx:1.13\n<\/code><\/pre>\n\n\n\n
5.\u4e3akubelet\u521b\u5efa\u4e00\u4e2arbac\u7b56\u7565<\/h2>\n\n\n\n
###\u521b\u5efasa\u8d26\u53f7\u3001\u521b\u5efacluster\u89c4\u5219\uff0c\u521b\u5efaclusterRoleBinding\n###\u83b7\u53d6sa\u8d26\u53f7\u521b\u5efa\u7684secert\u7684tocken\u540d\u5b57\nTOKEN_NAME=$(kubectl get sa -n <namespace> <sa-neme> -o go-template='{{range .secrets}}{{.name}}{{end}}')\n###\u83b7\u53d6\u8bc1\u4e66\nCA_CERT=$(kubectl get secret -n <namespace> ${TOKEN_NAME} -o yaml | awk '\/ca.crt:\/{print $2}')\n###\u521b\u5efa\u8ba4\u8bc1\u6587\u4ef6\ncat <<EOF > guest.config\napiVersion: v1\nkind: Config\nclusters:\n- cluster:\n  certificate-authority-data: $CA_CERT\n    server: $API_SERVER\n  name: cluster\nEOF\n###\u66f4\u65b0\u8ba4\u8bc1\u6587\u4ef6\u7684\u914d\u7f6e\n###\u83b7\u53d6tocken\u7684 \u503c\nSECRET=$(kubectl -n <namespace> get secret ${TOKEN_NAME} -o go-template='{{.data.token}}')\n###\u6307\u5b9a\u7528\u6237\u548ctocken\nkubectl config set-credentials <sa-name> --token=`echo ${SECRET} | base64 -d` --kubeconfig=guest.config\n###\u521b\u5efa\u4e0a\u4e0b\u6587\nkubectl config set-context <context-name-\u81ea\u5b9a\u4e49> --cluster=cluster \u2013user<sa-name> --kubeconfig=guest.config\n###\u542f\u7528\u8fd9\u4e2a\u914d\u7f6e\nkubectl config use-context <context-name-\u4e0a\u6761\u540d\u5b57\u81ea\u5b9a\u4e49\u7684\u540d\u5b57> --kubeconfig=guest.config\n\u5c06 guest.config\uff0c\u91cd\u547d\u540d\u4e4b\u540e\uff0c\u653e\u5230 ~\/.kube \u76ee\u5f55\u4e0b\u5373\u53ef\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
\u5b59\u5bcc\u9633\uff0c \u6c5f\u6e56\u4eba\u79f0\u6ca1\u4eba\u79f0\u3002\u591a\u5e74\u4e92\u8054\u7f51\u8fd0\u7ef4\u5de5\u4f5c\u7ecf\u9a8c\uff0c\u66fe\u8d1f\u8d23\u8fc7\u5b59\u5e03\u65af\u5927\u89c4\u6a21\u96c6\u7fa4\u67b6\u6784\u81ea\u52a8\u5316\u8fd0\u7ef4\u7ba1\u7406\u5de5\u4f5c\u3002\u64c5\u957fWeb\u96c6 […]<\/p>\n","protected":false},"author":1,"featured_media":246,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[23],"tags":[],"_links":{"self":[{"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=\/wp\/v2\/posts\/1467"}],"collection":[{"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1467"}],"version-history":[{"count":6,"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=\/wp\/v2\/posts\/1467\/revisions"}],"predecessor-version":[{"id":1476,"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=\/wp\/v2\/posts\/1467\/revisions\/1476"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=\/wp\/v2\/media\/246"}],"wp:attachment":[{"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1467"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1467"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1467"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}