k8s查看用户的token并验证
参考 k8s使用ServiceAccount Token的方式访问apiserver
kube-dns查看token
serviceaccounts (aka 'sa')
查看账号
#查看所有账号
[root@docker176 kubernetes]# kubectl -n kube-system get sa
NAME SECRETS AGE
calico-cni-plugin 1 2d
calico-policy-controller 1 2d
default 1 124d
heapster 1 55d
kube-dns 1 2d
# 查看指定账号
kubectl -n kube-system get sa kube-dns
取得secrets
kubectl -n kube-system get sa kube-dns -o yaml 取得secrets
[root@docker176 ~]# kubectl -n kube-system get sa kube-dns -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: 2019-04-12T12:32:49Z
labels:
addonmanager.kubernetes.io/mode: Reconcile
kubernetes.io/cluster-service: "true"
name: kube-dns
namespace: kube-system
resourceVersion: "16174692"
selfLink: /api/v1/namespaces/kube-system/serviceaccounts/kube-dns
uid: 1557807a-5d1f-11e9-9df3-000c2938862c
secrets:
- name: kube-dns-token-rst6j
secrets值为kube-dns-token-rst6j
取得token
kubectl get secrets kube-dns-token-rst6j -n kube-system -oyaml
[root@docker176 kubernetes]# kubectl get secrets kube-dns-token-rst6j -n kube-system -oyaml
apiVersion: v1
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURYekNDQWtlZ0F3SUJBZ0lKQU1jc1NWdStDcEkxTUEwR0NTcUdTSWIzRFFFQkN3VUFNQ1F4SWpBZ0JnTlYKQkFNTUdURTVNaTR4TmpndU1UUXVNVGMxUURFMU5UVXdNemt3TWpVd0hoY05NVGt3TkRFeU1ETXhOekExV2hjTgpNamt3TkRBNU1ETXhOekExV2pBa01TSXdJQVlEVlFRRERCa3hPVEl1TVRZNExqRTBMakUzTlVBeE5UVTFNRE01Ck1ESTFNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXJNaGJNSmN2NGgrZVBBa3IKbFF0dW9ZSlZLZTZqTEFVM1VvRENIRlkxTndSQ1p2Zit2ZEh5NVMxZWJOdGxOak4vdjgvWlpLRllEMG5qWDl3NQpKMWJpK3NhWnh2Y3gza28wdzN3OXo1WTlvRGNQMDNSVE85U2o3VXd1M3JBa3E2UGRVdzBIbGV0RWcyYURjcjQyCmR3U0g2ZTI1L2NlbEQ3ZUN0WDJZdk0xRHFBcllTcFpmNjJVZC9idmpqd05Hc2JxVjBBY0toN09Gckp1U0hFbGoKMVQyT2FoR3V5TW1GWk5hWG5lZ0lYR2pWems1NnZpdEsxRUhoUG05VnA5MHFFK0VSNk1yMS9FSTVReG1XdHJsYQpQcm1MaGhPaEd0WTRjTUNReEVvZGpIQkdFNEtNU2lBNVZPUExYNkZJR0RJVHVRbVhjSGNTV2JlWmR5aEYraitMCm9jUC9tUUlEQVFBQm80R1RNSUdRTUIwR0ExVWREZ1FXQkJRZ0srZk9TT3p0elB0MWFKSlBaL2pYYllpT3pUQlUKQmdOVkhTTUVUVEJMZ0JRZ0srZk9TT3p0elB0MWFKSlBaL2pYYllpT3phRW9wQ1l3SkRFaU1DQUdBMVVFQXd3WgpNVGt5TGpFMk9DNHhOQzR4TnpWQU1UVTFOVEF6T1RBeU5ZSUpBTWNzU1Z1K0NwSTFNQXdHQTFVZEV3UUZNQU1CCkFmOHdDd1lEVlIwUEJBUURBZ0VHTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBd1FFNEM3Mkk0MlNLSkg0ZnIKU0QvNnpwQXZUT3p0VjVPZUkyWWZSQ0t6NitObll1OHdCbE1xYTJUaS8yMnZ0U2JHVUdsRFROenhvVWdJbW5McwpOMjkzRXgxRUFaVUE2THJ2WWM3MnRlYS9SekVzaG5ROFBTQ2VPTXlndFJvVVdENU9YZmxsU2o3cTFWdy9zL3VOCmtMa1RYMjhGQ2VKeDhXTG5vSFZXUmN1eHRUWW1Ec1VKOWgzaGNrVHIwYXFSV0NMYldudHoyNW5IdG1LZmNqa2QKa3pwQkJsMzRJRDE2S3BOTWNIZnAydXFKQUhHd1NHdnVIN0tYWmxkcXo1QyswVkZPcFk4VThVYi9LS0tCS2tYRAo3YXFSSFhEdkxYdHMyM0N4cXJFOHI0ZzcyV3BWL01WbUN0WHl5Z0NMYjVUTFMwYU85MjZmaUt4dWFtNEw4VWNCCllFZEYKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
namespace: a3ViZS1zeXN0ZW0=
token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUpyZFdKbExYTjVjM1JsYlNJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZqY21WMExtNWhiV1VpT2lKcmRXSmxMV1J1Y3kxMGIydGxiaTF5YzNRMmFpSXNJbXQxWW1WeWJtVjBaWE11YVc4dmMyVnlkbWxqWldGalkyOTFiblF2YzJWeWRtbGpaUzFoWTJOdmRXNTBMbTVoYldVaU9pSnJkV0psTFdSdWN5SXNJbXQxWW1WeWJtVjBaWE11YVc4dmMyVnlkbWxqWldGalkyOTFiblF2YzJWeWRtbGpaUzFoWTJOdmRXNTBMblZwWkNJNklqRTFOVGM0TURkaExUVmtNV1l0TVRGbE9TMDVaR1l6TFRBd01HTXlPVE00T0RZeVl5SXNJbk4xWWlJNkluTjVjM1JsYlRwelpYSjJhV05sWVdOamIzVnVkRHByZFdKbExYTjVjM1JsYlRwcmRXSmxMV1J1Y3lKOS5qSEFVNmEycEE0WWFKWDBDajJDMGZLR3RvUE8wdjRFLUpMN1A4eDA5amhTc3hvMTVYdEMtcS1zRWRVT1N6NE9ZYTl3TzNaWjRNZkNTak5DSnUxVGJsaml1REprMmZvUFdJb0hsTXZBUFY3ME5PVnY0Um1BdEpxZ0l1ZXF2LW1hRVFkb2lZN2syZW9BOFZIaHBVWGVmY3Q2TUE0WUplUjlpNkZtRzNzb2RjdWo5blU5TlhBeXhhbzV3U2RZMlBlWEtaQVZFS3pMZXRjb3YxSmZFSEZpNDFjc0dkbjEwRmdZUlNWVTE5ZlNWUzVDOGwzMGE1cXlCWVRCS3o1U1M0SjdUMFprQ0lPRDdaV3RMTnNMLXNHTThhRE12V1VwUW51d3ZQX3ZpcmFpR1cxU2xVLUVmc29jT1RjajVKRXctWEZXUzRtcklaNXM0T3BwNUhZSFU1Z2d2LVE=
kind: Secret
metadata:
annotations:
kubernetes.io/service-account.name: kube-dns
kubernetes.io/service-account.uid: 1557807a-5d1f-11e9-9df3-000c2938862c
creationTimestamp: 2019-04-12T12:32:49Z
name: kube-dns-token-rst6j
namespace: kube-system
resourceVersion: "16174691"
selfLink: /api/v1/namespaces/kube-system/secrets/kube-dns-token-rst6j
uid: 155b7304-5d1f-11e9-9df3-000c2938862c
type: kubernetes.io/service-account-token
取得token并解码
取得token值
kubectl get secret kube-dns-token-rst6j -n kube-system -o jsonpath={".data.token"}
[root@docker176 kubernetes]# kubectl get secret kube-dns-token-rst6j -n kube-system -o jsonpath={".data.token"}
ZXlKaGJHY2lPaUpTVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUpyZFdKbExYTjVjM1JsYlNJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZqY21WMExtNWhiV1VpT2lKcmRXSmxMV1J1Y3kxMGIydGxiaTF5YzNRMmFpSXNJbXQxWW1WeWJtVjBaWE11YVc4dmMyVnlkbWxqWldGalkyOTFiblF2YzJWeWRtbGpaUzFoWTJOdmRXNTBMbTVoYldVaU9pSnJkV0psTFdSdWN5SXNJbXQxWW1WeWJtVjBaWE11YVc4dmMyVnlkbWxqWldGalkyOTFiblF2YzJWeWRtbGpaUzFoWTJOdmRXNTBMblZwWkNJNklqRTFOVGM0TURkaExUVmtNV1l0TVRGbE9TMDVaR1l6TFRBd01HTXlPVE00T0RZeVl5SXNJbk4xWWlJNkluTjVjM1JsYlRwelpYSjJhV05sWVdOamIzVnVkRHByZFdKbExYTjVjM1JsYlRwcmRXSmxMV1J1Y3lKOS5qSEFVNmEycEE0WWFKWDBDajJDMGZLR3RvUE8wdjRFLUpMN1A4eDA5amhTc3hvMTVYdEMtcS1zRWRVT1N6NE9ZYTl3TzNaWjRNZkNTak5DSnUxVGJsaml1REprMmZvUFdJb0hsTXZBUFY3ME5PVnY0Um1BdEpxZ0l1ZXF2LW1hRVFkb2lZN2syZW9BOFZIaHBVWGVmY3Q2TUE0WUplUjlpNkZtRzNzb2RjdWo5blU5TlhBeXhhbzV3U2RZMlBlWEtaQVZFS3pMZXRjb3YxSmZFSEZpNDFjc0dkbjEwRmdZUlNWVTE5ZlNWUzVDOGwzMGE1cXlCWVRCS3o1U1M0SjdUMFprQ0lPRDdaV3RMTnNMLXNHTThhRE12V1VwUW51d3ZQX3ZpcmFpR1cxU2xVLUVmc29jT1RjajVKRXctWEZXUzRtcklaNXM0T3BwNUhZSFU1Z2d2LVE=
tokne转码
kubectl get secret kube-dns-token-rst6j -n kube-system -o jsonpath={".data.token"}| base64 -d
[root@docker176 kubernetes]# kubectl get secret kube-dns-token-rst6j -n kube-system -o jsonpath={".data.token"}| base64 -d
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlLWRucy10b2tlbi1yc3Q2aiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlLWRucyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjE1NTc4MDdhLTVkMWYtMTFlOS05ZGYzLTAwMGMyOTM4ODYyYyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJlLWRucyJ9.jHAU6a2pA4YaJX0Cj2C0fKGtoPO0v4E-JL7P8x09jhSsxo15XtC-q-sEdUOSz4OYa9wO3ZZ4MfCSjNCJu1TbljiuDJk2foPWIoHlMvAPV70NOVv4RmAtJqgIueqv-maEQdoiY7k2eoA8VHhpUXefct6MA4YJeR9i6FmG3sodcuj9nU9NXAyxao5wSdY2PeXKZAVEKzLetcov1JfEHFi41csGdn10FgYRSVU19fSVS5C8l30a5qyBYTBKz5SS4J7T0ZkCIOD7ZWtLNsL-sGM8aDMvWUpQnuwvP_viraiGW1SlU-EfsocOTcj5JEw-XFWS4mrIZ5s4Opp5HYHU5ggv-Q
查看calico token
查看calico账号
kubectl -n kube-system get sa calico-policy-controller
[root@docker176 kubernetes]# kubectl -n kube-system get sa
NAME SECRETS AGE
calico-cni-plugin 1 2d
calico-policy-controller 1 2d
default 1 124d
heapster 1 55d
kube-dns 1 2d
[root@docker176 kubernetes]# kubectl -n kube-system get sa calico-policy-controller
NAME SECRETS AGE
calico-policy-controller 1 2d
取得secrets
kubectl -n kube-system get sa calico-policy-controller -o yaml
[root@docker176 kubernetes]# kubectl -n kube-system get sa calico-policy-controller -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: 2019-04-12T12:32:45Z
name: calico-policy-controller
namespace: kube-system
resourceVersion: "16174639"
selfLink: /api/v1/namespaces/kube-system/serviceaccounts/calico-policy-controller
uid: 12c2762f-5d1f-11e9-9df3-000c2938862c
secrets:
- name: calico-policy-controller-token-dd7k3
取得token
同kube-dns
kubectl get secrets calico-policy-controller-token-dd7k3 -n kube-system -oyaml
查看token并base64转码
[root@docker176 kubernetes]# kubectl get secret calico-policy-controller-token-dd7k3 -n kube-system -o jsonpath={".data.token"}| base64 -d
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJjYWxpY28tcG9saWN5LWNvbnRyb2xsZXItdG9rZW4tZGQ3azMiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiY2FsaWNvLXBvbGljeS1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMTJjMjc2MmYtNWQxZi0xMWU5LTlkZjMtMDAwYzI5Mzg4NjJjIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmNhbGljby1wb2xpY3ktY29udHJvbGxlciJ9.jw75X2XsTnq_8zwd3YJb2hO_4N-78Zo7rmZSCQWSfABi22h6cFlih_ln8nkjlOEL2P_h10W-Zyt-VgmRJsdQTQjELhgLfuh47OCuyRSL_kGosfjbhtXt4QzDM_Svr2mzSpWVbIE68qzh4YUkYGW6aHCrhWW5W-t-dPjGyjJOglG-Xmm1jwFZe_xDKRKOqXzivrYXHJ0Uqcyb_aWQgHBf3gAHSI9OCiGa5_ZykFVOqSo69cY4xL2XOpOcXDVj767qbsi0isICX7vWhHsnaG2KzhlDM3LIAS4AQqWY_fbctSV-jjsBWgBYZgon2xAQqOMmi4xvft_Uk6uEWT4ZKOn7MA
calico controller容器中的token
查看容器
[root@docker176 ~]# docker ps|grep calico
796243554da4 192.168.14.171:5000/calico/kube-policy-controller@sha256:1ca4ccddb3cc3e57e3d8c1fe5d7236ca50250d0a274b0bc3d88ad6ce25cab73e "/dist/controller" 2 days ago Up 2 days k8s_calico-policy-controller_calico-policy-controller-2698340612-8hksd_kube-system_13650ec9-5d1f-11e9-9df3-000c2938862c_0
进入容器中token所在目录
docker exec -it 796243554da4 sh
#或者
docker exec -it `docker ps |grep k8s_calico-policy-controller | awk '{print $1}'` sh
# 进入token所在目录
cd /var/run/secrets/kubernetes.io/serviceaccount
/var/run/secrets/kubernetes.io/serviceaccount # ls
ca.crt namespace token
查看token
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJjYWxpY28tcG9saWN5LWNvbnRyb2xsZXItdG9rZW4tZGQ3azMiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiY2FsaWNvLXBvbGljeS1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMTJjMjc2MmYtNWQxZi0xMWU5LTlkZjMtMDAwYzI5Mzg4NjJjIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmNhbGljby1wb2xpY3ktY29udHJvbGxlciJ9.jw75X2XsTnq_8zwd3YJb2hO_4N-78Zo7rmZSCQWSfABi22h6cFlih_ln8nkjlOEL2P_h10W-Zyt-VgmRJsdQTQjELhgLfuh47OCuyRSL_kGosfjbhtXt4QzDM_Svr2mzSpWVbIE68qzh4YUkYGW6aHCrhWW5W-t-dPjGyjJOglG-Xmm1jwFZe_xDKRKOqXzivrYXHJ0Uqcyb_aWQgHBf3gAHSI9OCiGa5_ZykFVOqSo69cY4xL2XOpOcXDVj767qbsi0isICX7vWhHsnaG2KzhlDM3LIAS4AQqWY_fbctSV-jjsBWgBYZgon2xAQqOMmi4xvft_Uk6uEWT4ZKOn7MA
对比 k8s中查看的token一致
测试多master 验证token是否有效
高可用master使用KeepAlievd vip设置
master主机
192.168.14.175
192.168.14.176
192.168.14.235(VIP)
curl -k -H ‘Authorization: Bearer ${token}’ https://192.168.14.176:6443/api
如下有返回信息的都是token通过校验正常访问k8s api
[root@docker176 ~]# curl -k -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJjYWxpY28tcG9saWN5LWNvbnRyb2xsZXItdG9rZW4tZGQ3azMiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiY2FsaWNvLXBvbGljeS1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMTJjMjc2MmYtNWQxZi0xMWU5LTlkZjMtMDAwYzI5Mzg4NjJjIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmNhbGljby1wb2xpY3ktY29udHJvbGxlciJ9.jw75X2XsTnq_8zwd3YJb2hO_4N-78Zo7rmZSCQWSfABi22h6cFlih_ln8nkjlOEL2P_h10W-Zyt-VgmRJsdQTQjELhgLfuh47OCuyRSL_kGosfjbhtXt4QzDM_Svr2mzSpWVbIE68qzh4YUkYGW6aHCrhWW5W-t-dPjGyjJOglG-Xmm1jwFZe_xDKRKOqXzivrYXHJ0Uqcyb_aWQgHBf3gAHSI9OCiGa5_ZykFVOqSo69cY4xL2XOpOcXDVj767qbsi0isICX7vWhHsnaG2KzhlDM3LIAS4AQqWY_fbctSV-jjsBWgBYZgon2xAQqOMmi4xvft_Uk6uEWT4ZKOn7MA' https://192.168.14.176:6443/api
{
"kind": "APIVersions",
"versions": [
"v1"
],
"serverAddressByClientCIDRs": [
{
"clientCIDR": "0.0.0.0/0",
"serverAddress": "192.168.14.176:6443"
}
]
}[root@docker176 ~]# curl -k -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJjYWxpY28tcG9saWN5LWNvbnRyb2xsZXItdG9rZW4tZGQ3azMiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiY2FsaWNvLXBvbGljeS1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMTJjMjc2MmYtNWQxZi0xMWU5LTlkZjMtMDAwYzI5Mzg4NjJjIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmNhbGljby1wb2xpY3ktY29udHJvbGxlciJ9.jw75X2XsTnq_8zwd3YJb2hO_4N-78Zo7rmZSCQWSfABi22h6cFlih_ln8nkjlOEL2P_h10W-Zyt-VgmRJsdQTQjELhgLfuh47OCuyRSL_kGosfjbhtXt4QzDM_Svr2mzSpWVbIE68qzh4YUkYGW6aHCrhWW5W-t-dPjGyjJOglG-Xmm1jwFZe_xDKRKOqXzivrYXHJ0Uqcyb_aWQgHBf3gAHSI9OCiGa5_ZykFVOqSo69cY4xL2XOpOcXDVj767qbsi0isICX7vWhHsnaG2KzhlDM3LIAS4AQqWY_fbctSV-jjsBWgBYZgon2xAQqOMmi4xvft_Uk6uEWT4ZKOn7MA' https://192.168.14.175:6443/api
{
"kind": "APIVersions",
"versions": [
"v1"
],
"serverAddressByClientCIDRs": [
{
"clientCIDR": "0.0.0.0/0",
"serverAddress": "192.168.14.175:6443"
}
]
}[root@docker176 ~]# curl -k -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJjYWxpY28tcG9saWN5LWNvbnRyb2xsZXItdG9rZW4tZGQ3azMiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiY2FsaWNvLXBvbGljeS1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMTJjMjc2MmYtNWQxZi0xMWU5LTlkZjMtMDAwYzI5Mzg4NjJjIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmNhbGljby1wb2xpY3ktY29udHJvbGxlciJ9.jw75X2XsTnq_8zwd3YJb2hO_4N-78Zo7rmZSCQWSfABi22h6cFlih_ln8nkjlOEL2P_h10W-Zyt-VgmRJsdQTQjELhgLfuh47OCuyRSL_kGosfjbhtXt4QzDM_Svr2mzSpWVbIE68qzh4YUkYGW6aHCrhWW5W-t-dPjGyjJOglG-Xmm1jwFZe_xDKRKOqXzivrYXHJ0Uqcyb_aWQgHBf3gAHSI9OCiGa5_ZykFVOqSo69cY4xL2XOpOcXDVj767qbsi0isICX7vWhHsnaG2KzhlDM3LIAS4AQqWY_fbctSV-jjsBWgBYZgon2xAQqOMmi4xvft_Uk6uEWT4ZKOn7MA' https://192.168.14.235:6443/api
{
"kind": "APIVersions",
"versions": [
"v1"
],
"serverAddressByClientCIDRs": [
{
"clientCIDR": "0.0.0.0/0",
"serverAddress": "192.168.14.176:6443"
}
]
}
cni测试token
/etc/cni/net.d存放cni相关配置文件所在目录,10-calico.conf配置文件
[root@docker176 ~]# cd /etc/cni/net.d; cat 10-calico.conf
{
"name": "k8s-pod-network",
"cniVersion": "0.1.0",
"type": "calico",
"etcd_endpoints": "http://192.168.14.175:2379,http://192.168.14.176:2379",
"log_level": "info",
"ipam": {
"type": "calico-ipam"
},
"policy": {
"type": "k8s",
"k8s_api_root": "https://10.254.0.1:443",
"k8s_auth_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJjYWxpY28tY25pLXBsdWdpbi10b2tlbi14N3dsMiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJjYWxpY28tY25pLXBsdWdpbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjEyYWQyMjI5LTVkMWYtMTFlOS05ZGYzLTAwMGMyOTM4ODYyYyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTpjYWxpY28tY25pLXBsdWdpbiJ9.VtyfKi39LKcx8Piy0x0cfa5bUxkEn1BhMYzAn_3BaZTma_nOjTMCrAHdqR1wCidH9__U43nKWRhM8qpBhc2OPp30VGFdMt25oJcCF5jcZKzbxvPt0HXKOgOeTctwgatnwsfEBtVarM1V_l9fQswinZbUHSjCCnYsVd1HMoeBOE6Gtxa14kz68wcbK9RFTHrxgo5cdtXxO7JFKRmR5GpmL0Xa2KjuWvY8H-6jSNVv-b-o5SjurV6Ha7Zysibpb8gLr86-QacMPnwP56Y9rBgxmGymUMXTJjXTXmKTY3G_Ha-CXk4Phrf9x58jVu48IHEFhzlnn6m_Kw6nGNEs-32IYw"
},
"kubernetes": {
"kubeconfig": "/etc/cni/net.d/calico-kubeconfig"
}
}
[root@docker176 net.d]# ll
total 8
-rw-rw-r-- 1 root root 1345 Apr 12 20:32 10-calico.conf
-rw-r--r-- 1 root root 273 Apr 12 20:32 calico-kubeconfig
[root@docker176 net.d]# cat calico-kubeconfig
# Kubeconfig file for Calico CNI plugin.
apiVersion: v1
kind: Config
clusters:
- name: local
cluster:
insecure-skip-tls-verify: true
users:
- name: calico
contexts:
- name: calico-context
context:
cluster: local
user: calico
current-context: calico-context
使用token请求k8s内部地址
[root@docker176 net.d]# curl -k -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJjYWxpY28tY25pLXBsdWdpbi10b2tlbi14N3dsMiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJjYWxpY28tY25pLXBsdWdpbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjEyYWQyMjI5LTVkMWYtMTFlOS05ZGYzLTAwMGMyOTM4ODYyYyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTpjYWxpY28tY25pLXBsdWdpbiJ9.VtyfKi39LKcx8Piy0x0cfa5bUxkEn1BhMYzAn_3BaZTma_nOjTMCrAHdqR1wCidH9__U43nKWRhM8qpBhc2OPp30VGFdMt25oJcCF5jcZKzbxvPt0HXKOgOeTctwgatnwsfEBtVarM1V_l9fQswinZbUHSjCCnYsVd1HMoeBOE6Gtxa14kz68wcbK9RFTHrxgo5cdtXxO7JFKRmR5GpmL0Xa2KjuWvY8H-6jSNVv-b-o5SjurV6Ha7Zysibpb8gLr86-QacMPnwP56Y9rBgxmGymUMXTJjXTXmKTY3G_Ha-CXk4Phrf9x58jVu48IHEFhzlnn6m_Kw6nGNEs-32IYw' https://10.254.0.1:443/api
{
"kind": "APIVersions",
"versions": [
"v1"
],
"serverAddressByClientCIDRs": [
{
"clientCIDR": "0.0.0.0/0",
"serverAddress": "192.168.14.176:6443"
}
]