我想以限制权限(list/watch/get、configmaps/services)访问 pod,所以我为 pod 创建了一个 ServiceAccount。
当我使用默认配置时
Config config = new ConfigBuilder().withMasterUrl("http://127.0.0.1:8080")
.build();
我好像用默认的ServiceAccount访问k8s
当我使用 ServiceAccount 机密时
Config config = new ConfigBuilder().withMasterUrl("http://127.0.0.1:8000")
.withTrustCerts(true)
.withOauthToken(token)//get from minikube dashboard secret token
.build();
角色配置
# kubectl get roles fullname -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1beta1","kind":"Role","metadata":{"annotations":{},"labels":{"chart":"chart","release":"release"},"name":"fullname","namespace":"default"},"rules":[{"apiGroups":[""],"resources":["configmaps","services"],"verbs":["watch","list","get"]}]}
creationTimestamp: "2020-12-21T01:47:46Z"
labels:
chart: chart
release: release
managedFields:
- apiVersion: rbac.authorization.k8s.io/v1beta1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:kubectl.kubernetes.io/last-applied-configuration: {}
f:labels:
.: {}
f:chart: {}
f:release: {}
f:rules: {}
manager: kubectl-client-side-apply
operation: Update
time: "2020-12-21T02:34:19Z"
name: fullname
namespace: default
resourceVersion: "44766"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/roles/fullname
uid: 81cfe685-f629-400d-828a-7869847249d4
rules:
- apiGroups:
- ""
resources:
- configmaps
- services
verbs:
- watch
- list
- get
当我调用函数时
public static String getCRD(){
return kubernetesClient.customResourceDefinitions().list().toString();
}
我仍然可以得到结果
那么我怎样才能通过serviceaccount限制的权限访问k8s