从Kubernetes内的容器访问Kubernetes API

时间:2017-05-25 14:14:24

标签: kubernetes

  • 我在minikube“群集”上发布了一个吊舱:

YAML:

---
kind: ServiceAccount
apiVersion: v1
metadata:
  name: orchestration

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: orchestration
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: orchestration
roleRef:
  kind: ClusterRole
  name: orchestration
  apiGroup: rbac.authorization.k8s.io
subjects:
  - kind: ServiceAccount
    name: orchestration
    namespace: default

---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: orchestration-master
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: orchestration
    spec:
      serviceAccountName: orchestration
      containers:
        - name: orchestration
          image: joan38/orchestration:latest
          ports:
            - name: ui
              containerPort: 8080

---
apiVersion: v1
kind: Service
metadata:
  name: orchestration-ui
spec:
  type: NodePort
  selector:
    app: orchestration
  ports:
    - name: http
      protocol: TCP
      port: 80
      nodePort: 31010
      targetPort: 8080
  • 连接广告连播:kubectl exec -ti --namespace default myContainer bash
  • 查询API:curl -k https://kubernetes.default.svc.cluster.local/api/v1
  • 结果为Unauthorized

为什么呢?如何授权?

1 个答案:

答案 0 :(得分:1)

服务帐户的凭据已安装在/var/run/secrets/kubernetes.io/serviceaccount 

curl https://kubernetes.default.svc.cluster.local/api/v1 \
  --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
  -H "Authorization: Bearer $(</var/run/secrets/kubernetes.io/serviceaccount/token)"
相关问题
最新问题