如何解决spring:通过serviceaccount访问k8s资源
我想以限制权限(list/watch/get、configmaps/services)访问 pod,所以我为 pod 创建了一个 ServiceAccount。
当我使用默认配置时
Config config = new ConfigBuilder().withMasterUrl("http://127.0.0.1:8080")
.build();
我好像用默认的ServiceAccount访问k8s
当我使用 ServiceAccount 机密时
Config config = new ConfigBuilder().withMasterUrl("http://127.0.0.1:8000")
.withTrustCerts(true)
.withOauthToken(token)//get from minikube dashboard secret token
.build();
角色配置
# kubectl get roles fullname -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
Metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1beta1","kind":"Role","Metadata":{"annotations":{},"labels":{"chart":"chart","release":"release"},"name":"fullname","namespace":"default"},"rules":[{"apiGroups":[""],"resources":["configmaps","services"],"verbs":["watch","list","get"]}]}
creationTimestamp: "2020-12-21T01:47:46Z"
labels:
chart: chart
release: release
managedFields:
- apiVersion: rbac.authorization.k8s.io/v1beta1
fieldsType: FieldsV1
fieldsV1:
f:Metadata:
f:annotations:
.: {}
f:kubectl.kubernetes.io/last-applied-configuration: {}
f:labels:
.: {}
f:chart: {}
f:release: {}
f:rules: {}
manager: kubectl-client-side-apply
operation: Update
time: "2020-12-21T02:34:19Z"
name: fullname
namespace: default
resourceVersion: "44766"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/roles/fullname
uid: 81cfe685-f629-400d-828a-7869847249d4
rules:
- apiGroups:
- ""
resources:
- configmaps
- services
verbs:
- watch
- list
- get
public static String getCRD(){
return kubernetesClient.customresourceDeFinitions().list().toString();
}
我仍然可以得到结果
那么我怎样才能通过serviceaccount限制的权限访问k8s
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。