kubernetes查看用户token

查看账号

#查看所有账号
[root@docker176 kubernetes]# kubectl -n kube-system get sa
NAME                       SECRETS   AGE
calico-cni-plugin          1         2d
calico-policy-controller   1         2d
default                    1         124d
heapster                   1         55d
kube-dns                   1         2d

# 查看指定账号
[root@docker176 kubernetes]# kubectl -n kube-system get sa calico-policy-controller
NAME                       SECRETS   AGE
calico-policy-controller   1         2d

取得secrets

kubectl -n kube-system get sa calico-policy-controller -o yamll 取得secrets

[root@docker176 kubernetes]# kubectl -n kube-system get sa calico-policy-controller -o yaml         
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: 2019-04-12T12:32:45Z
  name: calico-policy-controller
  namespace: kube-system
  resourceVersion: "16174639"
  selfLink: /api/v1/namespaces/kube-system/serviceaccounts/calico-policy-controller
  uid: 12c2762f-5d1f-11e9-9df3-000c2938862c
secrets:
- name: calico-policy-controller-token-dd7k3

secrets值为calico-policy-controller-token-dd7k3

取得token

[root@docker176 kubernetes]# kubectl get calico-policy-controller-token-dd7k3 -n kube-system -oyaml

查看token并解码

[root@docker176 kubernetes]# kubectl get secret calico-policy-controller-token-dd7k3 -n kube-system -o jsonpath={".data.token"}| base64 -d                    
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJjYWxpY28tcG9saWN5LWNvbnRyb2xsZXItdG9rZW4tZGQ3azMiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiY2FsaWNvLXBvbGljeS1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMTJjMjc2MmYtNWQxZi0xMWU5LTlkZjMtMDAwYzI5Mzg4NjJjIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmNhbGljby1wb2xpY3ktY29udHJvbGxlciJ9.jw75X2XsTnq_8zwd3YJb2hO_4N-78Zo7rmZSCQWSfABi22h6cFlih_ln8nkjlOEL2P_h10W-Zyt-VgmRJsdQTQjELhgLfuh47OCuyRSL_kGosfjbhtXt4QzDM_Svr2mzSpWVbIE68qzh4YUkYGW6aHCrhWW5W-t-dPjGyjJOglG-Xmm1jwFZe_xDKRKOqXzivrYXHJ0Uqcyb_aWQgHBf3gAHSI9OCiGa5_ZykFVOqSo69cY4xL2XOpOcXDVj767qbsi0isICX7vWhHsnaG2KzhlDM3LIAS4AQqWY_fbctSV-jjsBWgBYZgon2xAQqOMmi4xvft_Uk6uEWT4ZKOn7MA

校验token

这里校验token是指，上面获取到的token和容器中的token进行对比

查看容器

[root@docker176 ~]# docker ps|grep calico
796243554da4        192.168.14.171:5000/calico/kube-policy-controller@sha256:1ca4ccddb3cc3e57e3d8c1fe5d7236ca50250d0a274b0bc3d88ad6ce25cab73e                   "/dist/controller"       2 days ago          Up 2 days                               k8s_calico-policy-controller_calico-policy-controller-2698340612-8hksd_kube-system_13650ec9-5d1f-11e9-9df3-000c2938862c_0

进入容器中token所在目录

docker exec -it   796243554da4 sh
#或者
docker exec -it `docker ps |grep k8s_calico-policy-controller | awk '{print $1}'` sh
# 进入token所在目录
cd /var/run/secrets/kubernetes.io/serviceaccount
/var/run/secrets/kubernetes.io/serviceaccount # ls
ca.crt     namespace  token

查看token

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJjYWxpY28tcG9saWN5LWNvbnRyb2xsZXItdG9rZW4tZGQ3azMiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiY2FsaWNvLXBvbGljeS1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMTJjMjc2MmYtNWQxZi0xMWU5LTlkZjMtMDAwYzI5Mzg4NjJjIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmNhbGljby1wb2xpY3ktY29udHJvbGxlciJ9.jw75X2XsTnq_8zwd3YJb2hO_4N-78Zo7rmZSCQWSfABi22h6cFlih_ln8nkjlOEL2P_h10W-Zyt-VgmRJsdQTQjELhgLfuh47OCuyRSL_kGosfjbhtXt4QzDM_Svr2mzSpWVbIE68qzh4YUkYGW6aHCrhWW5W-t-dPjGyjJOglG-Xmm1jwFZe_xDKRKOqXzivrYXHJ0Uqcyb_aWQgHBf3gAHSI9OCiGa5_ZykFVOqSo69cY4xL2XOpOcXDVj767qbsi0isICX7vWhHsnaG2KzhlDM3LIAS4AQqWY_fbctSV-jjsBWgBYZgon2xAQqOMmi4xvft_Uk6uEWT4ZKOn7MA

对比 k8s中查看的token一致

验证token是否有效

curl -k -H ‘Authorization: Bearer ${token}’ https://192.168.14.176:6443/api

如下有返回信息的都是token通过校验正常访问k8s api

[root@docker176 ~]# curl -k -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJjYWxpY28tcG9saWN5LWNvbnRyb2xsZXItdG9rZW4tZGQ3azMiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiY2FsaWNvLXBvbGljeS1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMTJjMjc2MmYtNWQxZi0xMWU5LTlkZjMtMDAwYzI5Mzg4NjJjIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmNhbGljby1wb2xpY3ktY29udHJvbGxlciJ9.jw75X2XsTnq_8zwd3YJb2hO_4N-78Zo7rmZSCQWSfABi22h6cFlih_ln8nkjlOEL2P_h10W-Zyt-VgmRJsdQTQjELhgLfuh47OCuyRSL_kGosfjbhtXt4QzDM_Svr2mzSpWVbIE68qzh4YUkYGW6aHCrhWW5W-t-dPjGyjJOglG-Xmm1jwFZe_xDKRKOqXzivrYXHJ0Uqcyb_aWQgHBf3gAHSI9OCiGa5_ZykFVOqSo69cY4xL2XOpOcXDVj767qbsi0isICX7vWhHsnaG2KzhlDM3LIAS4AQqWY_fbctSV-jjsBWgBYZgon2xAQqOMmi4xvft_Uk6uEWT4ZKOn7MA' https://192.168.14.176:6443/api
{
  "kind": "APIVersions",
  "versions": [
    "v1"
  ],
  "serverAddressByClientCIDRs": [
    {
      "clientCIDR": "0.0.0.0/0",
      "serverAddress": "192.168.14.176:6443"
    }
  ]
}

我这边os-admin是管理员用户，然后在本地登录Kubernetes Dashboard输入os-admin的token就可以了