k8s admin 用户生成token

k8s 版本 1.28 

创建一个admin的命名空间

admin-namespce.yaml

kind: Namespace
apiVersion: v1
metadata:   name: admin   labels:     name: admin

 部署进k8s   kubectl apply -f admin-namespce.yaml   

查看k8s namespace 的列表

kubectl get namespace

查看当前生效的token 创建一个jenkins用户 用户类型为 ClusterRoleBinding   此类型为授权给整个集群   命名空间在kube-system 

role-jenkins.yaml

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:name: jenkinsannotations:rbac.authorization.kubernetes.io/autoupdate: "true"
roleRef:kind: ClusterRolename: cluster-jenkinsapiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccountname: jenkinsnamespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:name: jenkinsnamespace: kube-systemlabels:kubernetes.io/cluster-service: "true"addonmanager.kubernetes.io/mode: Reconcile
---
apiVersion: v1
kind: Secret
metadata:name: jenkinsnamespace: kube-systemannotations:kubernetes.io/service-account.name: "jenkins"
type: kubernetes.io/service-account-token

文件的最后一行为用户增加token  生成

部署用户 用户名为jenkins  授权整个集群

kubectl apply -f role-jenkins.yaml

获取集群目前已有的token 值 secret

[root@k-master token]# kubectl -n kube-system get secrets
NAME                     TYPE                                  DATA   AGE
bootstrap-token-qsesda   bootstrap.kubernetes.io/token         5      45h
jenkins                  kubernetes.io/service-account-token   3      24h

获取到jenkins 用户的token值的详细信息 

kubectl -n kube-system describe secrets jenkins

获取jenkins 用户的token

kubectl -n kube-system get secrets jenkins -o go-template --template '{{index .data "token"}}' | base64 --decode

查看k8s 下 jenkins用户是否有token

# kubectl describe sa jenkins -n kube-systemName:                jenkins
Namespace:           kube-system
Labels:              addonmanager.kubernetes.io/mode=Reconcilekubernetes.io/cluster-service=true
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   <none>
Tokens:              jenkins
Events:              <none>