【k8s系列】(改时间202205) k8s中的 secret token

生成kubernetes集群最高权限admin用户的token

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: admin
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: admin
  namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin
  namespace: kube-system
  labels:
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile

然后执行下面的命令创建 serviceaccount 和角色绑定,

1
kubectl create -f admin-role.yaml

创建完成后获取secret中token的值。

获取admin-token的secret名字

1
2
$ kubectl -n kube-system get secret|grep admin-token
admin-token-2qdsz                          kubernetes.io/service-account-token   3         6m

获取token的值

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# 注意:token是base64解码后的值
# kubectl -n kube-system describe secret admin-token-2qdsz
Name:         admin-token-2qdsz
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: admin
              kubernetes.io/service-account.uid: 4fe95396-6de8-4097-9ff9-4232f0151c71

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1359 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6Im9IQXYtZkpERlB0V0JHRnFwa2w1czR1Zzhja2lRWTU1cjhpWW1uaEo3cmsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi0ycWRzeiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjRmZTk1Mzk2LTZkZTgtNDA5Ny05ZmY5LTQyMzJmMDE1MWM3MSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.Xsd8Oo4EYEe3eL4GQweDvnuEfsRoFF0O1RXo_HjACgsj8FMQtU2TdaBhaJk3p7Rvuc_gAz3FqJS9YOWHVlSQKqfL68RCEPfbqb-dXqnKuijFyUKD4NyhnQH42oMf9fWD0NuquhTlNASQSIXdl1WW0u0bY8cOxmQHOOIJvuHMeqLTLG3oQYSgdjdfhHUtrqF1EztORGQKYFoJEv0gZRnXhuUC30MNjVptKPPC8hEzGWaVkcMwTJVIYQ6IYWsoH3o9Z_kDveJpbiOwQO4bV39bfNuefuGZY2SoJTfnyz7ERdT7LZLZ153E14vFbxeaF-_ITD-7cSGqxLZNifv-fmSKzQ   

# 注意:token是base64编码后的值
# kubectl -n kube-system get secret admin-token-2qdsz -oyaml
apiVersion: v1
data:
  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVTVBFY1pDb3graHJPMlJzNk1oblNmTndzV3lJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbAphVXBwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl4TVRJeE16QXlOVEV3TUZvWERUSTJNVEl4TWpBeU5URXdNRm93WlRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbGFVcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByZFdKbGNtNWxkR1Z6Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBeVBsTmJlT2loa1Q0ZHZPVjBxT0QKbnhmSThxQUNFczV3RkZHZUUxamltcFJHZDJ2UVdEWHkwNVdJYVAzNnZrMzlNUGhXTndyVlJlTTQ1SG1VdFZMVApZZVF0TCtqZzJXNUtFVC9ENnBIRmFLalc4VG9CVHdXTUI4dFNSZ0JpTnRKRm5PTUp2Z2tZVDhqdlNTdUhnZjd1ClBvdWFLMUhrUFJYQjFpSi9OSDNQYzMwcTJBV1RmTmNFM21DYU9VMkQrWlBaWUpncGRIV0JCK1pOeHo0R1BCZjcKa2dwbSthQUdydmpzOGZMZFh5MzhhdzNwbitSWGtNNzN5M0w2dDEvbDFvQ0JKcjlQS2pVK0JVa0s1VkdORzFFNAoxQWppQVRUZ3U2S1JKRDV2SGNZeDBHRnJ3dnZDMzRwSCs2Uk1yUWtxZ2RpRlJZVVhEYi9BYjR6RzFlUmRaazArClJRSURBUUFCbzJZd1pEQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFqQWQKQmdOVkhRNEVGZ1FVY3JvMFdxZ3l1VjJKbTlvbXd6UDlPS25scjN3d0h3WURWUjBqQkJnd0ZvQVVjcm8wV3FneQp1VjJKbTlvbXd6UDlPS25scjN3d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFKK01HU1BvbHU4VGhkOE1jQTZjCm9EVGdGWTc1MU5RcmlXVXd5a2FBQ2xDZXY2YWp0RU1FdmFDWXZUOXhsaUUrM2lmZDlQTXlPYTB3dDlSUWhLVXIKc01WanVBcUxrWTBhbjhiTm5HeDdkc2IweThBS2JIYXlDQkVBb1ludUtiSXcxUlMvTEpTakJqa1NYS2dsN1c3SwpzNWlzTzBFRFBIS3BOM1lSN3ZiZDdzT2krOTgxTFBWMk4vb2x6TUd3VVNCSUJXTFliZHZveHY2N3JEc1YvZ1lXCjFSZklnOU9USThTVEZhM0RjcHZUNElaTHlIMFhaeisrdjRrK0NZVEptTG9mM0VibWVhQjBya2tNNTZNSFVYWFUKY3pKMi9ETmdhKzNTNU40N0RRYVUvRVlTQXpJWG05a2lYYncwbWZoNnJFcjhHQm9DQzRBWTVOcUJWWUhETjQ1MQpzdG89Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
  namespace: a3ViZS1zeXN0ZW0=
  token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNkltOUlRWFl0WmtwRVJsQjBWMEpIUm5Gd2EydzFjelIxWnpoamEybFJXVFUxY2pocFdXMXVhRW8zY21zaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUpyZFdKbExYTjVjM1JsYlNJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZqY21WMExtNWhiV1VpT2lKaFpHMXBiaTEwYjJ0bGJpMHljV1J6ZWlJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZ5ZG1salpTMWhZMk52ZFc1MExtNWhiV1VpT2lKaFpHMXBiaUlzSW10MVltVnlibVYwWlhNdWFXOHZjMlZ5ZG1salpXRmpZMjkxYm5RdmMyVnlkbWxqWlMxaFkyTnZkVzUwTG5WcFpDSTZJalJtWlRrMU16azJMVFprWlRndE5EQTVOeTA1Wm1ZNUxUUXlNekptTURFMU1XTTNNU0lzSW5OMVlpSTZJbk41YzNSbGJUcHpaWEoyYVdObFlXTmpiM1Z1ZERwcmRXSmxMWE41YzNSbGJUcGhaRzFwYmlKOS5Yc2Q4T280RVlFZTNlTDRHUXdlRHZudUVmc1JvRkYwTzFSWG9fSGpBQ2dzajhGTVF0VTJUZGFCaGFKazNwN1J2dWNfZ0F6M0ZxSlM5WU9XSFZsU1FLcWZMNjhSQ0VQZmJxYi1kWHFuS3VpakZ5VUtENE55aG5RSDQyb01mOWZXRDBOdXF1aFRsTkFTUVNJWGRsMVdXMHUwYlk4Y094bVFIT09JSnZ1SE1lcUxUTEczb1FZU2dkamRmaEhVdHJxRjFFenRPUkdRS1lGb0pFdjBnWlJuWGh1VUMzME1OalZwdEtQUEM4aEV6R1dhVmtjTXdUSlZJWVE2SVlXc29IM285Wl9rRHZlSnBiaU93UU80YlYzOWJmTnVlZnVHWlkyU29KVGZueXo3RVJkVDdMWkxaMTUzRTE0dkZieGVhRi1fSVRELTdjU0dxeExaTmlmdi1mbVNLelE=
kind: Secret
metadata:
  annotations:
    kubernetes.io/service-account.name: admin
    kubernetes.io/service-account.uid: 4fe95396-6de8-4097-9ff9-4232f0151c71
  creationTimestamp: "2022-05-07T03:41:41Z"
  name: admin-token-2qdsz
  namespace: kube-system
  resourceVersion: "2962635"
  selfLink: /api/v1/namespaces/kube-system/secrets/admin-token-2qdsz
  uid: 41e80ab2-3840-4cde-bad8-cdad915bbcc9
type: kubernetes.io/service-account-token


也可以使用 jsonpath 的方式直接获取 token 的值,如:

1
2
3
4
5
6
7
# kubectl -n kube-system get secret admin-token-2qdsz -o jsonpath={.data.token}
ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNkltOUlRWFl0WmtwRVJsQjBWMEpIUm5Gd2EydzFjelIxWnpoamEybFJXVFUxY2pocFdXMXVhRW8zY21zaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUpyZFdKbExYTjVjM1JsYlNJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZqY21WMExtNWhiV1VpT2lKaFpHMXBiaTEwYjJ0bGJpMHljV1J6ZWlJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZ5ZG1salpTMWhZMk52ZFc1MExtNWhiV1VpT2lKaFpHMXBiaUlzSW10MVltVnlibVYwWlhNdWFXOHZjMlZ5ZG1salpXRmpZMjkxYm5RdmMyVnlkbWxqWlMxaFkyTnZkVzUwTG5WcFpDSTZJalJtWlRrMU16azJMVFprWlRndE5EQTVOeTA1Wm1ZNUxUUXlNekptTURFMU1XTTNNU0lzSW5OMVlpSTZJbk41YzNSbGJUcHpaWEoyYVdObFlXTmpiM1Z1ZERwcmRXSmxMWE41YzNSbGJUcGhaRzFwYmlKOS5Yc2Q4T280RVlFZTNlTDRHUXdlRHZudUVmc1JvRkYwTzFSWG9fSGpBQ2dzajhGTVF0VTJUZGFCaGFKazNwN1J2dWNfZ0F6M0ZxSlM5WU9XSFZsU1FLcWZMNjhSQ0VQZmJxYi1kWHFuS3VpakZ5VUtENE55aG5RSDQyb01mOWZXRDBOdXF1aFRsTkFTUVNJWGRsMVdXMHUwYlk4Y094bVFIT09JSnZ1SE1lcUxUTEczb1FZU2dkamRmaEhVdHJxRjFFenRPUkdRS1lGb0pFdjBnWlJuWGh1VUMzME1OalZwdEtQUEM4aEV6R1dhVmtjTXdUSlZJWVE2SVlXc29IM285Wl9rRHZlSnBiaU93UU80YlYzOWJmTnVlZnVHWlkyU29KVGZueXo3RVJkVDdMWkxaMTUzRTE0dkZieGVhRi1fSVRELTdjU0dxeExaTmlmdi1mbVNLelE=


# kubectl -n kube-system get secret admin-token-2qdsz -o jsonpath={.data.token}|base64 -d
# kubectl -n kube-system get secret admin-token-2qdsz -o jsonpath={.data.token}|base64 --decode
eyJhbGciOiJSUzI1NiIsImtpZCI6Im9IQXYtZkpERlB0V0JHRnFwa2w1czR1Zzhja2lRWTU1cjhpWW1uaEo3cmsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi0ycWRzeiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjRmZTk1Mzk2LTZkZTgtNDA5Ny05ZmY5LTQyMzJmMDE1MWM3MSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.Xsd8Oo4EYEe3eL4GQweDvnuEfsRoFF0O1RXo_HjACgsj8FMQtU2TdaBhaJk3p7Rvuc_gAz3FqJS9YOWHVlSQKqfL68RCEPfbqb-dXqnKuijFyUKD4NyhnQH42oMf9fWD0NuquhTlNASQSIXdl1WW0u0bY8cOxmQHOOIJvuHMeqLTLG3oQYSgdjdfhHUtrqF1EztORGQKYFoJEv0gZRnXhuUC30MNjVptKPPC8hEzGWaVkcMwTJVIYQ6IYWsoH3o9Z_kDveJpbiOwQO4bV39bfNuefuGZY2SoJTfnyz7ERdT7LZLZ153E14vFbxeaF-_ITD-7cSGqxLZNifv-fmSKzQ

注意:Linux 和 Mac 有自带的 base64 命令也可以直接使用,输入 base64 是进行编码,Linux 中base64 -d 表示解码,Mac 中使用 base64 -D。

api访问

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
# curl https://192.168.56.168:6443/api --header "Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6Im9IQXYtZkpERlB0V0JHRnFwa2w1czR1Zzhja2lRWTU1cjhpWW1uaEo3cmsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi0ycWRzeiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjRmZTk1Mzk2LTZkZTgtNDA5Ny05ZmY5LTQyMzJmMDE1MWM3MSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.Xsd8Oo4EYEe3eL4GQweDvnuEfsRoFF0O1RXo_HjACgsj8FMQtU2TdaBhaJk3p7Rvuc_gAz3FqJS9YOWHVlSQKqfL68RCEPfbqb-dXqnKuijFyUKD4NyhnQH42oMf9fWD0NuquhTlNASQSIXdl1WW0u0bY8cOxmQHOOIJvuHMeqLTLG3oQYSgdjdfhHUtrqF1EztORGQKYFoJEv0gZRnXhuUC30MNjVptKPPC8hEzGWaVkcMwTJVIYQ6IYWsoH3o9Z_kDveJpbiOwQO4bV39bfNuefuGZY2SoJTfnyz7ERdT7LZLZ153E14vFbxeaF-_ITD-7cSGqxLZNifv-fmSKzQ" --insecure
{
  "kind": "APIVersions",
  "versions": [
    "v1"
  ],
  "serverAddressByClientCIDRs": [
    {
      "clientCIDR": "0.0.0.0/0",
      "serverAddress": "192.168.56.168:6443"
    }
  ]
}


# TOKEN=$(kubectl -n kube-system get secret admin-token-2qdsz -o jsonpath={.data.token}|base64 --decode)
# APISERVER=https://192.168.56.168:6443
# curl -X GET $APISERVER/api --header "Authorization: Bearer $TOKEN" --insecure
{
  "kind": "APIVersions",
  "versions": [
    "v1"
  ],
  "serverAddressByClientCIDRs": [
    {
      "clientCIDR": "0.0.0.0/0",
      "serverAddress": "192.168.56.168:6443"
    }
  ]
}


# curl -X GET $APISERVER/api/v1/nodes --header "Authorization: Bearer $TOKEN" --insecure 
# curl -X GET $APISERVER/api/v1/namespaces/default/secrets --header "Authorization: Bearer $TOKEN" --insecure
# curl -X GET $APISERVER/api/v1/namespaces/kube-system/secrets --header "Authorization: Bearer $TOKEN" --insecure
# curl -X GET $APISERVER/api/v1/namespaces/kube-system/secrets/admin-token-2qdsz --header "Authorization: Bearer $TOKEN" --insecure
{
  "kind": "Secret",
  "apiVersion": "v1",
  "metadata": {
    "name": "admin-token-2qdsz",
    "namespace": "kube-system",
    "selfLink": "/api/v1/namespaces/kube-system/secrets/admin-token-2qdsz",
    "uid": "41e80ab2-3840-4cde-bad8-cdad915bbcc9",
    "resourceVersion": "2962635",
    "creationTimestamp": "2022-05-07T03:41:41Z",
    "annotations": {
      "kubernetes.io/service-account.name": "admin",
      "kubernetes.io/service-account.uid": "4fe95396-6de8-4097-9ff9-4232f0151c71"
    },
    "managedFields": [
      {
        "manager": "kube-controller-manager",
        "operation": "Update",
        "apiVersion": "v1",
        "time": "2022-05-07T03:41:41Z",
        "fieldsType": "FieldsV1",
        "fieldsV1": {"f:data":{".":{},"f:ca.crt":{},"f:namespace":{},"f:token":{}},"f:metadata":{"f:annotations":{".":{},"f:kubernetes.io/service-account.name":{},"f:kubernetes.io/service-account.uid":{}}},"f:type":{}}
      }
    ]
  },
  "data": {
    "ca.crt": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVTVBFY1pDb3graHJPMlJzNk1oblNmTndzV3lJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbAphVXBwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl4TVRJeE16QXlOVEV3TUZvWERUSTJNVEl4TWpBeU5URXdNRm93WlRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbGFVcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByZFdKbGNtNWxkR1Z6Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBeVBsTmJlT2loa1Q0ZHZPVjBxT0QKbnhmSThxQUNFczV3RkZHZUUxamltcFJHZDJ2UVdEWHkwNVdJYVAzNnZrMzlNUGhXTndyVlJlTTQ1SG1VdFZMVApZZVF0TCtqZzJXNUtFVC9ENnBIRmFLalc4VG9CVHdXTUI4dFNSZ0JpTnRKRm5PTUp2Z2tZVDhqdlNTdUhnZjd1ClBvdWFLMUhrUFJYQjFpSi9OSDNQYzMwcTJBV1RmTmNFM21DYU9VMkQrWlBaWUpncGRIV0JCK1pOeHo0R1BCZjcKa2dwbSthQUdydmpzOGZMZFh5MzhhdzNwbitSWGtNNzN5M0w2dDEvbDFvQ0JKcjlQS2pVK0JVa0s1VkdORzFFNAoxQWppQVRUZ3U2S1JKRDV2SGNZeDBHRnJ3dnZDMzRwSCs2Uk1yUWtxZ2RpRlJZVVhEYi9BYjR6RzFlUmRaazArClJRSURBUUFCbzJZd1pEQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFqQWQKQmdOVkhRNEVGZ1FVY3JvMFdxZ3l1VjJKbTlvbXd6UDlPS25scjN3d0h3WURWUjBqQkJnd0ZvQVVjcm8wV3FneQp1VjJKbTlvbXd6UDlPS25scjN3d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFKK01HU1BvbHU4VGhkOE1jQTZjCm9EVGdGWTc1MU5RcmlXVXd5a2FBQ2xDZXY2YWp0RU1FdmFDWXZUOXhsaUUrM2lmZDlQTXlPYTB3dDlSUWhLVXIKc01WanVBcUxrWTBhbjhiTm5HeDdkc2IweThBS2JIYXlDQkVBb1ludUtiSXcxUlMvTEpTakJqa1NYS2dsN1c3SwpzNWlzTzBFRFBIS3BOM1lSN3ZiZDdzT2krOTgxTFBWMk4vb2x6TUd3VVNCSUJXTFliZHZveHY2N3JEc1YvZ1lXCjFSZklnOU9USThTVEZhM0RjcHZUNElaTHlIMFhaeisrdjRrK0NZVEptTG9mM0VibWVhQjBya2tNNTZNSFVYWFUKY3pKMi9ETmdhKzNTNU40N0RRYVUvRVlTQXpJWG05a2lYYncwbWZoNnJFcjhHQm9DQzRBWTVOcUJWWUhETjQ1MQpzdG89Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K",
    "namespace": "a3ViZS1zeXN0ZW0=",
    "token": "ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNkltOUlRWFl0WmtwRVJsQjBWMEpIUm5Gd2EydzFjelIxWnpoamEybFJXVFUxY2pocFdXMXVhRW8zY21zaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUpyZFdKbExYTjVjM1JsYlNJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZqY21WMExtNWhiV1VpT2lKaFpHMXBiaTEwYjJ0bGJpMHljV1J6ZWlJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZ5ZG1salpTMWhZMk52ZFc1MExtNWhiV1VpT2lKaFpHMXBiaUlzSW10MVltVnlibVYwWlhNdWFXOHZjMlZ5ZG1salpXRmpZMjkxYm5RdmMyVnlkbWxqWlMxaFkyTnZkVzUwTG5WcFpDSTZJalJtWlRrMU16azJMVFprWlRndE5EQTVOeTA1Wm1ZNUxUUXlNekptTURFMU1XTTNNU0lzSW5OMVlpSTZJbk41YzNSbGJUcHpaWEoyYVdObFlXTmpiM1Z1ZERwcmRXSmxMWE41YzNSbGJUcGhaRzFwYmlKOS5Yc2Q4T280RVlFZTNlTDRHUXdlRHZudUVmc1JvRkYwTzFSWG9fSGpBQ2dzajhGTVF0VTJUZGFCaGFKazNwN1J2dWNfZ0F6M0ZxSlM5WU9XSFZsU1FLcWZMNjhSQ0VQZmJxYi1kWHFuS3VpakZ5VUtENE55aG5RSDQyb01mOWZXRDBOdXF1aFRsTkFTUVNJWGRsMVdXMHUwYlk4Y094bVFIT09JSnZ1SE1lcUxUTEczb1FZU2dkamRmaEhVdHJxRjFFenRPUkdRS1lGb0pFdjBnWlJuWGh1VUMzME1OalZwdEtQUEM4aEV6R1dhVmtjTXdUSlZJWVE2SVlXc29IM285Wl9rRHZlSnBiaU93UU80YlYzOWJmTnVlZnVHWlkyU29KVGZueXo3RVJkVDdMWkxaMTUzRTE0dkZieGVhRi1fSVRELTdjU0dxeExaTmlmdi1mbVNLelE="   # base64编码后的
  },
  "type": "kubernetes.io/service-account-token"
}

kubeconfig (token)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
apiVersion: v1
clusters:
- cluster:
    insecure-skip-tls-verify: true
    server: https://192.168.56.168:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: system:admin
  name: system:admin
current-context: system:admin
kind: Config
preferences: {}
users:
- name: system:admin
  user:
    token: eyJhbGciOiJSUzI1NiIsImtpZCI6Im9IQXYtZkpERlB0V0JHRnFwa2w1czR1Zzhja2lRWTU1cjhpWW1uaEo3cmsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi0ycWRzeiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjRmZTk1Mzk2LTZkZTgtNDA5Ny05ZmY5LTQyMzJmMDE1MWM3MSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.Xsd8Oo4EYEe3eL4GQweDvnuEfsRoFF0O1RXo_HjACgsj8FMQtU2TdaBhaJk3p7Rvuc_gAz3FqJS9YOWHVlSQKqfL68RCEPfbqb-dXqnKuijFyUKD4NyhnQH42oMf9fWD0NuquhTlNASQSIXdl1WW0u0bY8cOxmQHOOIJvuHMeqLTLG3oQYSgdjdfhHUtrqF1EztORGQKYFoJEv0gZRnXhuUC30MNjVptKPPC8hEzGWaVkcMwTJVIYQ6IYWsoH3o9Z_kDveJpbiOwQO4bV39bfNuefuGZY2SoJTfnyz7ERdT7LZLZ153E14vFbxeaF-_ITD-7cSGqxLZNifv-fmSKzQ
1
2
# kubectl --kubeconfig kubeconfig-168-token get secret -A 可用
# kubectl --kubeconfig kubeconfig-168-token get pod -A    可用

总结:token编解码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# 注意:token是base64解码后的值
# kubectl -n kube-system describe secret admin-token-2qdsz
Name:         admin-token-2qdsz
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: admin
              kubernetes.io/service-account.uid: 4fe95396-6de8-4097-9ff9-4232f0151c71

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1359 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6Im9IQXYtZkpERlB0V0JHRnFwa2w1czR1Zzhja2lRWTU1cjhpWW1uaEo3cmsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi0ycWRzeiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjRmZTk1Mzk2LTZkZTgtNDA5Ny05ZmY5LTQyMzJmMDE1MWM3MSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.Xsd8Oo4EYEe3eL4GQweDvnuEfsRoFF0O1RXo_HjACgsj8FMQtU2TdaBhaJk3p7Rvuc_gAz3FqJS9YOWHVlSQKqfL68RCEPfbqb-dXqnKuijFyUKD4NyhnQH42oMf9fWD0NuquhTlNASQSIXdl1WW0u0bY8cOxmQHOOIJvuHMeqLTLG3oQYSgdjdfhHUtrqF1EztORGQKYFoJEv0gZRnXhuUC30MNjVptKPPC8hEzGWaVkcMwTJVIYQ6IYWsoH3o9Z_kDveJpbiOwQO4bV39bfNuefuGZY2SoJTfnyz7ERdT7LZLZ153E14vFbxeaF-_ITD-7cSGqxLZNifv-fmSKzQ   




# 注意:token是base64解码后的值
# kubectl -n kube-system get secret admin-token-2qdsz -o jsonpath={.data.token}|base64 -d
# kubectl -n kube-system get secret admin-token-2qdsz -o jsonpath={.data.token}|base64 --decode
eyJhbGciOiJSUzI1NiIsImtpZCI6Im9IQXYtZkpERlB0V0JHRnFwa2w1czR1Zzhja2lRWTU1cjhpWW1uaEo3cmsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi0ycWRzeiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjRmZTk1Mzk2LTZkZTgtNDA5Ny05ZmY5LTQyMzJmMDE1MWM3MSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.Xsd8Oo4EYEe3eL4GQweDvnuEfsRoFF0O1RXo_HjACgsj8FMQtU2TdaBhaJk3p7Rvuc_gAz3FqJS9YOWHVlSQKqfL68RCEPfbqb-dXqnKuijFyUKD4NyhnQH42oMf9fWD0NuquhTlNASQSIXdl1WW0u0bY8cOxmQHOOIJvuHMeqLTLG3oQYSgdjdfhHUtrqF1EztORGQKYFoJEv0gZRnXhuUC30MNjVptKPPC8hEzGWaVkcMwTJVIYQ6IYWsoH3o9Z_kDveJpbiOwQO4bV39bfNuefuGZY2SoJTfnyz7ERdT7LZLZ153E14vFbxeaF-_ITD-7cSGqxLZNifv-fmSKzQ




# 注意:token是base64编码后的值
# kubectl -n kube-system get secret admin-token-2qdsz -o jsonpath={.data.token}
ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNkltOUlRWFl0WmtwRVJsQjBWMEpIUm5Gd2EydzFjelIxWnpoamEybFJXVFUxY2pocFdXMXVhRW8zY21zaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUpyZFdKbExYTjVjM1JsYlNJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZqY21WMExtNWhiV1VpT2lKaFpHMXBiaTEwYjJ0bGJpMHljV1J6ZWlJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZ5ZG1salpTMWhZMk52ZFc1MExtNWhiV1VpT2lKaFpHMXBiaUlzSW10MVltVnlibVYwWlhNdWFXOHZjMlZ5ZG1salpXRmpZMjkxYm5RdmMyVnlkbWxqWlMxaFkyTnZkVzUwTG5WcFpDSTZJalJtWlRrMU16azJMVFprWlRndE5EQTVOeTA1Wm1ZNUxUUXlNekptTURFMU1XTTNNU0lzSW5OMVlpSTZJbk41YzNSbGJUcHpaWEoyYVdObFlXTmpiM1Z1ZERwcmRXSmxMWE41YzNSbGJUcGhaRzFwYmlKOS5Yc2Q4T280RVlFZTNlTDRHUXdlRHZudUVmc1JvRkYwTzFSWG9fSGpBQ2dzajhGTVF0VTJUZGFCaGFKazNwN1J2dWNfZ0F6M0ZxSlM5WU9XSFZsU1FLcWZMNjhSQ0VQZmJxYi1kWHFuS3VpakZ5VUtENE55aG5RSDQyb01mOWZXRDBOdXF1aFRsTkFTUVNJWGRsMVdXMHUwYlk4Y094bVFIT09JSnZ1SE1lcUxUTEczb1FZU2dkamRmaEhVdHJxRjFFenRPUkdRS1lGb0pFdjBnWlJuWGh1VUMzME1OalZwdEtQUEM4aEV6R1dhVmtjTXdUSlZJWVE2SVlXc29IM285Wl9rRHZlSnBiaU93UU80YlYzOWJmTnVlZnVHWlkyU29KVGZueXo3RVJkVDdMWkxaMTUzRTE0dkZieGVhRi1fSVRELTdjU0dxeExaTmlmdi1mbVNLelE=

# 注意:token是base64编码后的值
# curl -X GET $APISERVER/api/v1/namespaces/kube-system/secrets/admin-token-2qdsz --header "Authorization: Bearer $TOKEN" --insecure
{
  "kind": "Secret",
  "apiVersion": "v1",
  "metadata": {
    "name": "admin-token-2qdsz",
    "namespace": "kube-system",
    "selfLink": "/api/v1/namespaces/kube-system/secrets/admin-token-2qdsz",
    "uid": "41e80ab2-3840-4cde-bad8-cdad915bbcc9",
    "resourceVersion": "2962635",
    "creationTimestamp": "2022-05-07T03:41:41Z",
    "annotations": {
      "kubernetes.io/service-account.name": "admin",
      "kubernetes.io/service-account.uid": "4fe95396-6de8-4097-9ff9-4232f0151c71"
    },
    "managedFields": [
      {
        "manager": "kube-controller-manager",
        "operation": "Update",
        "apiVersion": "v1",
        "time": "2022-05-07T03:41:41Z",
        "fieldsType": "FieldsV1",
        "fieldsV1": {"f:data":{".":{},"f:ca.crt":{},"f:namespace":{},"f:token":{}},"f:metadata":{"f:annotations":{".":{},"f:kubernetes.io/service-account.name":{},"f:kubernetes.io/service-account.uid":{}}},"f:type":{}}
      }
    ]
  },
  "data": {
    "ca.crt": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVTVBFY1pDb3graHJPMlJzNk1oblNmTndzV3lJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbAphVXBwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl4TVRJeE16QXlOVEV3TUZvWERUSTJNVEl4TWpBeU5URXdNRm93WlRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbGFVcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByZFdKbGNtNWxkR1Z6Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBeVBsTmJlT2loa1Q0ZHZPVjBxT0QKbnhmSThxQUNFczV3RkZHZUUxamltcFJHZDJ2UVdEWHkwNVdJYVAzNnZrMzlNUGhXTndyVlJlTTQ1SG1VdFZMVApZZVF0TCtqZzJXNUtFVC9ENnBIRmFLalc4VG9CVHdXTUI4dFNSZ0JpTnRKRm5PTUp2Z2tZVDhqdlNTdUhnZjd1ClBvdWFLMUhrUFJYQjFpSi9OSDNQYzMwcTJBV1RmTmNFM21DYU9VMkQrWlBaWUpncGRIV0JCK1pOeHo0R1BCZjcKa2dwbSthQUdydmpzOGZMZFh5MzhhdzNwbitSWGtNNzN5M0w2dDEvbDFvQ0JKcjlQS2pVK0JVa0s1VkdORzFFNAoxQWppQVRUZ3U2S1JKRDV2SGNZeDBHRnJ3dnZDMzRwSCs2Uk1yUWtxZ2RpRlJZVVhEYi9BYjR6RzFlUmRaazArClJRSURBUUFCbzJZd1pEQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFqQWQKQmdOVkhRNEVGZ1FVY3JvMFdxZ3l1VjJKbTlvbXd6UDlPS25scjN3d0h3WURWUjBqQkJnd0ZvQVVjcm8wV3FneQp1VjJKbTlvbXd6UDlPS25scjN3d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFKK01HU1BvbHU4VGhkOE1jQTZjCm9EVGdGWTc1MU5RcmlXVXd5a2FBQ2xDZXY2YWp0RU1FdmFDWXZUOXhsaUUrM2lmZDlQTXlPYTB3dDlSUWhLVXIKc01WanVBcUxrWTBhbjhiTm5HeDdkc2IweThBS2JIYXlDQkVBb1ludUtiSXcxUlMvTEpTakJqa1NYS2dsN1c3SwpzNWlzTzBFRFBIS3BOM1lSN3ZiZDdzT2krOTgxTFBWMk4vb2x6TUd3VVNCSUJXTFliZHZveHY2N3JEc1YvZ1lXCjFSZklnOU9USThTVEZhM0RjcHZUNElaTHlIMFhaeisrdjRrK0NZVEptTG9mM0VibWVhQjBya2tNNTZNSFVYWFUKY3pKMi9ETmdhKzNTNU40N0RRYVUvRVlTQXpJWG05a2lYYncwbWZoNnJFcjhHQm9DQzRBWTVOcUJWWUhETjQ1MQpzdG89Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K",
    "namespace": "a3ViZS1zeXN0ZW0=",
    "token": "ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNkltOUlRWFl0WmtwRVJsQjBWMEpIUm5Gd2EydzFjelIxWnpoamEybFJXVFUxY2pocFdXMXVhRW8zY21zaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUpyZFdKbExYTjVjM1JsYlNJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZqY21WMExtNWhiV1VpT2lKaFpHMXBiaTEwYjJ0bGJpMHljV1J6ZWlJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZ5ZG1salpTMWhZMk52ZFc1MExtNWhiV1VpT2lKaFpHMXBiaUlzSW10MVltVnlibVYwWlhNdWFXOHZjMlZ5ZG1salpXRmpZMjkxYm5RdmMyVnlkbWxqWlMxaFkyTnZkVzUwTG5WcFpDSTZJalJtWlRrMU16azJMVFprWlRndE5EQTVOeTA1Wm1ZNUxUUXlNekptTURFMU1XTTNNU0lzSW5OMVlpSTZJbk41YzNSbGJUcHpaWEoyYVdObFlXTmpiM1Z1ZERwcmRXSmxMWE41YzNSbGJUcGhaRzFwYmlKOS5Yc2Q4T280RVlFZTNlTDRHUXdlRHZudUVmc1JvRkYwTzFSWG9fSGpBQ2dzajhGTVF0VTJUZGFCaGFKazNwN1J2dWNfZ0F6M0ZxSlM5WU9XSFZsU1FLcWZMNjhSQ0VQZmJxYi1kWHFuS3VpakZ5VUtENE55aG5RSDQyb01mOWZXRDBOdXF1aFRsTkFTUVNJWGRsMVdXMHUwYlk4Y094bVFIT09JSnZ1SE1lcUxUTEczb1FZU2dkamRmaEhVdHJxRjFFenRPUkdRS1lGb0pFdjBnWlJuWGh1VUMzME1OalZwdEtQUEM4aEV6R1dhVmtjTXdUSlZJWVE2SVlXc29IM285Wl9rRHZlSnBiaU93UU80YlYzOWJmTnVlZnVHWlkyU29KVGZueXo3RVJkVDdMWkxaMTUzRTE0dkZieGVhRi1fSVRELTdjU0dxeExaTmlmdi1mbVNLelE="   # base64编码后的
  },
  "type": "kubernetes.io/service-account-token"
}

参考:
使用 kubeconfig 或 token 进行用户身份认证
获取Secret信息

【k8s系列】(改时间202205) k8s中的 secret token
http://example.com/2024/02/21/k8s/unsupported/【k8s系列】(改时间202205) k8s中的 secret token/
作者
ningan123
发布于
2024年2月21日
许可协议