10. k8s应用管理
1. 创建应用¶
# 应用管理-kubernetes-创建
# 名称: k8s集群master节点-腾讯云1
# 集群: https://10.0.8.3:6443
2. 创建用户¶
# 资产管理-系统用户-普通用户-创建-k8s
# 名称:k8s集群用户
# 令牌:需要弄出令牌来!
3. jumpserver的k8s用户令牌¶
# 官方文档:https://docs.jumpserver.org/zh/master/admin-guide/app/kubernetes/
1. 查看k8s集群入口¶
# 浏览器访问:https://10.0.8.3:6443
2. 获取token¶
# 登录k8s-master节点
# 1. 查看secret
kubectl get secret -n kube-system
#2. 获取token
kubectl describe secret ko-admin-token-kprl9 -n kube-system
#我的集群中没有此账户,只能重建了!
root@k8s-master:~# kubectl get secret -n kube-system
NAME TYPE DATA AGE
attachdetach-controller-token-hjwh2 kubernetes.io/service-account-token 3 38h
bootstrap-signer-token-bnxzh kubernetes.io/service-account-token 3 38h
bootstrap-token-iiibjv bootstrap.kubernetes.io/token 6 15h
calico-etcd-secrets Opaque 3 38h
calico-kube-controllers-token-qr7ff kubernetes.io/service-account-token 3 38h
calico-node-token-t9pdh kubernetes.io/service-account-token 3 38h
certificate-controller-token-8gw55 kubernetes.io/service-account-token 3 38h
clusterrole-aggregation-controller-token-pd4tr kubernetes.io/service-account-token 3 38h
coredns-token-k47ww kubernetes.io/service-account-token 3 38h
cronjob-controller-token-42w5l kubernetes.io/service-account-token 3 38h
daemon-set-controller-token-jcfp5 kubernetes.io/service-account-token 3 38h
default-token-4rp77 kubernetes.io/service-account-token 3 38h
deployment-controller-token-5whf2 kubernetes.io/service-account-token 3 38h
disruption-controller-token-458b8 kubernetes.io/service-account-token 3 38h
endpoint-controller-token-jj2wn kubernetes.io/service-account-token 3 38h
endpointslice-controller-token-kb5wm kubernetes.io/service-account-token 3 38h
endpointslicemirroring-controller-token-sfgbk kubernetes.io/service-account-token 3 38h
ephemeral-volume-controller-token-j24j2 kubernetes.io/service-account-token 3 38h
expand-controller-token-9qgk2 kubernetes.io/service-account-token 3 38h
generic-garbage-collector-token-gsm2p kubernetes.io/service-account-token 3 38h
horizontal-pod-autoscaler-token-6z2fs kubernetes.io/service-account-token 3 38h
job-controller-token-7j25t kubernetes.io/service-account-token 3 38h
kube-proxy-token-btdqk kubernetes.io/service-account-token 3 38h
namespace-controller-token-qz5qw kubernetes.io/service-account-token 3 38h
node-controller-token-kgpdn kubernetes.io/service-account-token 3 38h
persistent-volume-binder-token-2pl6h kubernetes.io/service-account-token 3 38h
pod-garbage-collector-token-4gccq kubernetes.io/service-account-token 3 38h
pv-protection-controller-token-wll2b kubernetes.io/service-account-token 3 38h
pvc-protection-controller-token-84fjp kubernetes.io/service-account-token 3 38h
replicaset-controller-token-qcjtj kubernetes.io/service-account-token 3 38h
replication-controller-token-pwnxb kubernetes.io/service-account-token 3 38h
resourcequota-controller-token-bpfh6 kubernetes.io/service-account-token 3 38h
root-ca-cert-publisher-token-g6dn5 kubernetes.io/service-account-token 3 38h
service-account-controller-token-ttfph kubernetes.io/service-account-token 3 38h
service-controller-token-5g6lk kubernetes.io/service-account-token 3 38h
statefulset-controller-token-4hm6v kubernetes.io/service-account-token 3 38h
token-cleaner-token-g5bsd kubernetes.io/service-account-token 3 38h
ttl-after-finished-controller-token-gdw6s kubernetes.io/service-account-token 3 38h
ttl-controller-token-sjpl2 kubernetes.io/service-account-token 3 38h
3. 创建集群权限的serviceaccount,并绑定ClusterRole:cluster-admin¶
# 切换到root用户
sudo -i
#2.创建yaml文件
vim jumpserver-admin.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: jumpserver-admin
namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: jumpserver-admin
subjects:
- kind: ServiceAccount
name: jumpserver-admin
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
创建sa
kubectl apply -f jumpserver-admin.yaml
查看创建的sa
#1. 查看sa,得到secret名
kubectl get sa -n kube-system jumpserver-admin
查看secret
kubectl get secret -n kube-system|grep jumpserver
root@k8s-master:~# kubectl get secret -n kube-system|grep jumpserver
jumpserver-admin-token-mdmhx kubernetes.io/service-account-token 3 45s
4. 获取jumpserver-admin的token¶
# 根据得到的secret名,得到token
kubectl -n kube-system get secrets jumpserver-admin-token-mdmhx -o jsonpath={.data.token}
root@k8s-master:~# kubectl -n kube-system get secrets jumpserver-admin-token-mdmhx -o jsonpath={.data.token}
ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpMDFhSEJOYWtWaVdrMXhiVmcyU0dWeWQydEtOR2htVVRkdlMwRktka2hCTjBob1NXRm1ObGQ1VlVVaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUpyZFdKbExYTjVjM1JsYlNJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZqY21WMExtNWhiV1VpT2lKcWRXMXdjMlZ5ZG1WeUxXRmtiV2x1TFhSdmEyVnVMVzFrYldoNElpd2lhM1ZpWlhKdVpYUmxjeTVwYnk5elpYSjJhV05sWVdOamIzVnVkQzl6WlhKMmFXTmxMV0ZqWTI5MWJuUXVibUZ0WlNJNkltcDFiWEJ6WlhKMlpYSXRZV1J0YVc0aUxDSnJkV0psY201bGRHVnpMbWx2TDNObGNuWnBZMlZoWTJOdmRXNTBMM05sY25acFkyVXRZV05qYjNWdWRDNTFhV1FpT2lKak56QmtNMk0yWVMxaE5XSXdMVFF6TkRndE9HTTFZaTB5WWpRMFpEYzVPVFEyWmpRaUxDSnpkV0lpT2lKemVYTjBaVzA2YzJWeWRtbGpaV0ZqWTI5MWJuUTZhM1ZpWlMxemVYTjBaVzA2YW5WdGNITmxjblpsY2kxaFpHMXBiaUo5LmduV0NQM1huOTZiSGJuMVIzc2hqMW5mWWlJMjMyc1JnX01QSHJVZU4yZmZKQ2FwY19MM1FLUlRaamNtX3pZQlZ5MlR1ZGlncVoyREMxZVAzeU92MFlfbXQxbVZaX2h3WDFvTU9INEh6OGhGQXBfbnZiUTRGcGQ4a0dpNlJBRTl3bG9uYlhyaUd3UXh5T0hKa2VRQ3pNeEhXUl9yYzBhaVc4eUoyalRkdEJENWdFVzNteVBhQVZPblpuQXlyYWRXNzNtSTFBRHEtVDM0ZmExa2xENFRtamsxT2FNOVFuOFN6YXF5b00tSzhYU2xBbGROdnczTlFFaGhYb1dwNFBTRWlKdGpXa3dHaDBnazluNzZkdXlVT0RydVRuZzhTeENxTzhzczV1UTRvcWI1ZVFZY0hFaFRXRHZXd3kzNDlMR1NEejN3SXhYT1Zhbm1Ea0NUU0F0RE8wZw==
5. token转码¶
kubectl get secrets -n kube-system jumpserver-admin-token-vfll7 -o jsonpath={.data.token} |base64 -d
root@k8s-master:~# kubectl get secrets -n kube-system jumpserver-admin-token-mdmhx -o jsonpath={.data.token} |base64 -d
eyJhbGciOiJSUzI1NiIsImtpZCI6Ii01aHBNakViWk1xbVg2SGVyd2tKNGhmUTdvS0FKdkhBN0hoSWFmNld5VUUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJqdW1wc2VydmVyLWFkbWluLXRva2VuLW1kbWh4Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6Imp1bXBzZXJ2ZXItYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJjNzBkM2M2YS1hNWIwLTQzNDgtOGM1Yi0yYjQ0ZDc5OTQ2ZjQiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06anVtcHNlcnZlci1hZG1pbiJ9.gnWCP3Xn96bHbn1R3shj1nfYiI232sRg_MPHrUeN2ffJCapc_L3QKRTZjcm_zYBVy2TudigqZ2DC1eP3yOv0Y_mt1mVZ_hwX1oMOH4Hz8hFAp_nvbQ4Fpd8kGi6RAE9wlonbXriGwQxyOHJkeQCzMxHWR_rc0aiW8yJ2jTdtBD5gEW3myPaAVOnZnAyradW73mI1ADq-T34fa1klD4Tmjk1OaM9Qn8SzaqyoM-K8XSlAldNvw3NQEhhXoWp4PSEiJtjWkwGh0gk9n76duyUODruTng8SxCqO8ss5uQ4oqb5eQYcHEhTWDvWwy349LGSDz3wIxXOVanmDkCTSAtDO0g
6. 使用转码后的token访问集群测试¶
# 防火墙开启6443端口
curl -k -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6Ii01aHBNakViWk1xbVg2SGVyd2tKNGhmUTdvS0FKdkhBN0hoSWFmNld5VUUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJqdW1wc2VydmVyLWFkbWluLXRva2VuLW1kbWh4Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6Imp1bXBzZXJ2ZXItYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJjNzBkM2M2YS1hNWIwLTQzNDgtOGM1Yi0yYjQ0ZDc5OTQ2ZjQiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06anVtcHNlcnZlci1hZG1pbiJ9.gnWCP3Xn96bHbn1R3shj1nfYiI232sRg_MPHrUeN2ffJCapc_L3QKRTZjcm_zYBVy2TudigqZ2DC1eP3yOv0Y_mt1mVZ_hwX1oMOH4Hz8hFAp_nvbQ4Fpd8kGi6RAE9wlonbXriGwQxyOHJkeQCzMxHWR_rc0aiW8yJ2jTdtBD5gEW3myPaAVOnZnAyradW73mI1ADq-T34fa1klD4Tmjk1OaM9Qn8SzaqyoM-K8XSlAldNvw3NQEhhXoWp4PSEiJtjWkwGh0gk9n76duyUODruTng8SxCqO8ss5uQ4oqb5eQYcHEhTWDvWwy349LGSDz3wIxXOVanmDkCTSAtDO0g' https://10.0.8.3:6443/healthz
成功!!!
root@k8s-master:~# curl -k -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6Ii01aHBNakViWk1xbVg2SGVyd2tKNGhmUTdvS0FKdkhBN0hoSWFmNld5VUUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJqdW1wc2VydmVyLWFkbWluLXRva2VuLW1kbWh4Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6Imp1bXBzZXJ2ZXItYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJjNzBkM2M2YS1hNWIwLTQzNDgtOGM1Yi0yYjQ0ZDc5OTQ2ZjQiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06anVtcHNlcnZlci1hZG1pbiJ9.gnWCP3Xn96bHbn1R3shj1nfYiI232sRg_MPHrUeN2ffJCapc_L3QKRTZjcm_zYBVy2TudigqZ2DC1eP3yOv0Y_mt1mVZ_hwX1oMOH4Hz8hFAp_nvbQ4Fpd8kGi6RAE9wlonbXriGwQxyOHJkeQCzMxHWR_rc0aiW8yJ2jTdtBD5gEW3myPaAVOnZnAyradW73mI1ADq-T34fa1klD4Tmjk1OaM9Qn8SzaqyoM-K8XSlAldNvw3NQEhhXoWp4PSEiJtjWkwGh0gk9n76duyUODruTng8SxCqO8ss5uQ4oqb5eQYcHEhTWDvWwy349LGSDz3wIxXOVanmDkCTSAtDO0g' https://10.0.8.3:6443/healthz
ok
4. 将未转码的token写入到jumpserver的k8s用户令牌¶
#1. token
ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpMDFhSEJOYWtWaVdrMXhiVmcyU0dWeWQydEtOR2htVVRkdlMwRktka2hCTjBob1NXRm1ObGQ1VlVVaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUpyZFdKbExYTjVjM1JsYlNJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZqY21WMExtNWhiV1VpT2lKcWRXMXdjMlZ5ZG1WeUxXRmtiV2x1TFhSdmEyVnVMVzFrYldoNElpd2lhM1ZpWlhKdVpYUmxjeTVwYnk5elpYSjJhV05sWVdOamIzVnVkQzl6WlhKMmFXTmxMV0ZqWTI5MWJuUXVibUZ0WlNJNkltcDFiWEJ6WlhKMlpYSXRZV1J0YVc0aUxDSnJkV0psY201bGRHVnpMbWx2TDNObGNuWnBZMlZoWTJOdmRXNTBMM05sY25acFkyVXRZV05qYjNWdWRDNTFhV1FpT2lKak56QmtNMk0yWVMxaE5XSXdMVFF6TkRndE9HTTFZaTB5WWpRMFpEYzVPVFEyWmpRaUxDSnpkV0lpT2lKemVYTjBaVzA2YzJWeWRtbGpaV0ZqWTI5MWJuUTZhM1ZpWlMxemVYTjBaVzA2YW5WdGNITmxjblpsY2kxaFpHMXBiaUo5LmduV0NQM1huOTZiSGJuMVIzc2hqMW5mWWlJMjMyc1JnX01QSHJVZU4yZmZKQ2FwY19MM1FLUlRaamNtX3pZQlZ5MlR1ZGlncVoyREMxZVAzeU92MFlfbXQxbVZaX2h3WDFvTU9INEh6OGhGQXBfbnZiUTRGcGQ4a0dpNlJBRTl3bG9uYlhyaUd3UXh5T0hKa2VRQ3pNeEhXUl9yYzBhaVc4eUoyalRkdEJENWdFVzNteVBhQVZPblpuQXlyYWRXNzNtSTFBRHEtVDM0ZmExa2xENFRtamsxT2FNOVFuOFN6YXF5b00tSzhYU2xBbGROdnczTlFFaGhYb1dwNFBTRWlKdGpXa3dHaDBnazluNzZkdXlVT0RydVRuZzhTeENxTzhzczV1UTRvcWI1ZVFZY0hFaFRXRHZXd3kzNDlMR1NEejN3SXhYT1Zhbm1Ea0NUU0F0RE8wZw==
#2. 写入令牌中
5. 应用授权¶
# 权限管理-应用授权-创建-k8s
# 名称:k8s集群应用授权
# 用户:楚鹏,自己选择交给谁管理
# 应用:k8s集群
# 系统用户: k8s集群用户
6. 测试¶
# 登录chupeng用户,可以看到k8s应用
# 点击右侧的链接
# 发现连接失败!
7. 使用转码后的token¶
# 修改令牌为转码后的token测试!
eyJhbGciOiJSUzI1NiIsImtpZCI6Ii01aHBNakViWk1xbVg2SGVyd2tKNGhmUTdvS0FKdkhBN0hoSWFmNld5VUUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJqdW1wc2VydmVyLWFkbWluLXRva2VuLW1kbWh4Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6Imp1bXBzZXJ2ZXItYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJjNzBkM2M2YS1hNWIwLTQzNDgtOGM1Yi0yYjQ0ZDc5OTQ2ZjQiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06anVtcHNlcnZlci1hZG1pbiJ9.gnWCP3Xn96bHbn1R3shj1nfYiI232sRg_MPHrUeN2ffJCapc_L3QKRTZjcm_zYBVy2TudigqZ2DC1eP3yOv0Y_mt1mVZ_hwX1oMOH4Hz8hFAp_nvbQ4Fpd8kGi6RAE9wlonbXriGwQxyOHJkeQCzMxHWR_rc0aiW8yJ2jTdtBD5gEW3myPaAVOnZnAyradW73mI1ADq-T34fa1klD4Tmjk1OaM9Qn8SzaqyoM-K8XSlAldNvw3NQEhhXoWp4PSEiJtjWkwGh0gk9n76duyUODruTng8SxCqO8ss5uQ4oqb5eQYcHEhTWDvWwy349LGSDz3wIxXOVanmDkCTSAtDO0g
# 连接成功!!!
最后更新:
2022-02-18 07:50:18