我想在 Kubernetes 中使用令牌创建服务帐户。我试过这个:
完整日志:
root@vmi1026661:~# ^C
root@vmi1026661:~# kubectl create sa cicd
serviceaccount/cicd created
root@vmi1026661:~# kubectl get sa,secret
NAME SECRETS AGE
serviceaccount/cicd 0 5s
serviceaccount/default 0 16d
NAME TYPE DATA AGE
secret/repo-docker-registry-secret Opaque 3 16d
secret/sh.helm.release.v1.repo.v1 helm.sh/release.v1 1 16d
root@vmi1026661:~# cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
name: cicd
spec:
serviceAccount: cicd
containers:
- image: nginx
name: cicd
EOF
pod/cicd created
root@vmi1026661:~# kubectl exec cicd cat /run/secrets/kubernetes.io/serviceaccount/token && echo
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
error: unable to upgrade connection: container not found ("cicd")
root@vmi1026661:~# kubectl exec cicd cat /run/secrets/kubernetes.io/serviceaccount/token && echo
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
error: unable to upgrade connection: container not found ("cicd")
root@vmi1026661:~# kubectl create token cicd
eyJhbGciOiJSUzI1NiIsImtpZCI6IlUyQzNBcmx3RFhBeGdWRjlibEtfZkRPMC12Z0RpU1BHYjFLaWN3akViVVUifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jY WwiXSwiZXhwIjoxNjY2NzkyNTIxLCJpYXQiOjE2NjY3ODg5MjEsImlzcyI6Imh0dHBzOi8va3ViZXJuZ XRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiO iJkZWZhdWx0Iiwic2VydmljZWFjY291bnQiOnsibmFtZSI6ImNpY2QiLCJ1aWQiOiI3ODhmNzUwMS0xZ WFjLTQ0YzktOWQ3Ni03ZjVlN2FlM2Q4NzIifX0sIm5iZiI6MTY2Njc4ODkyMSwic3ViIjoic3lzdGVtO nNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6Y2ljZCJ9.iBkpVDQ_w_UZmbr3PnpouwtQlLz9FzJs_cJ7IYbY WUphBM4NO4o8gPgBfnHGPG3uFVbEDbgdY2TsuxHKss0FosiCdjYBiLn8dp_SQd1Rdk0TMYGCLAOWRgZE XjpmXMLBcHtC5TexJY-bIpvw7Ni4Xls5XPbGpfqL_fcPuUQR3Gurkmk7gPSly77jRKSaF-kzj0oq78MPtwHu92g5hnIZs7ZLaMLzo9EvDRT092RVZXiVF0FkmflnUPNiyKxainrfvWTiTAlYSZreX6JfGjimklTAKCue4w9CqWZGNyGGumqH02ucMQ
xjAiHS6J_Goxyaho8QEvFsEhkVqNFndzbw
root@vmi1026661:~# kubectl create token cicd --duration=999999h
eyJhbGciOiJSUzI1NiIsImtpZCI6IlUyQzNBcmx3RFhBeGdWRjlibEtfZkRPMC12Z0RpU1BHYjFLaWN3akViVVUifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jY WwiXSwiZXhwIjo1MjY2Nzg1MzI2LCJpYXQiOjE2NjY3ODg5MjYsImlzcyI6Imh0dHBzOi8va3ViZXJuZ XRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiO iJkZWZhdWx0Iiwic2VydmljZWFjY291bnQiOnsibmFtZSI6ImNpY2QiLCJ1aWQiOiI3ODhmNzUwMS0xZ WFjLTQ0YzktOWQ3Ni03ZjVlN2FlM2Q4NzIifX0sIm5iZiI6MTY2Njc4ODkyNiwic3ViIjoic3lzdGVtO nNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6Y2ljZCJ9.N1V7i0AgW3DihJDWcGbM0kDvFH_nWodPlqZjLSHM KvaRAfmujOxSk084mrmjkZwIzWGanA6pkTQHiBIAGh8UhR7ijo4J6S58I-5Dj4gu2UWVOpaBzDBrKqBD SapFw9PjKpZYCHjsXTCzx6Df8q-bAEk_lpc0CsfpbXQl2jpJm3TTtQp1GKuIc53k5VKz9ON8MXcHY8lEfNs78ew8GiaoX6M4_5LmjSNVMHtyRy-Z_oIH9yK8LcHLxh0wqMS7RyW9UKN_9-qH1h01NwrFFOQWpbstFVuQKAnI-RyNEZDc9FZMNwYd_n
MwaKv54oNLx4TniOSOWxS7ZcEyP5b7U8mgBw
root@vmi1026661:~# cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: cicd
annotations:
kubernetes.io/service-account.name: "cicd"
EOF
secret/cicd created
root@vmi1026661:~# cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ClusterRoleBind
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: cicd
namespace: default
EOF
clusterrolebinding.rbac.authorization.k8s.io/ClusterRoleBind created
root@vmi1026661:~# kubectl get sa,secret
NAME SECRETS AGE
serviceaccount/cicd 0 60s
serviceaccount/default 0 16d
NAME TYPE DATA AGE
secret/cicd kubernetes.io/service-account-token 3 12s
secret/repo-docker-registry-secret Opaque 3 16d
secret/sh.helm.release.v1.repo.v1 helm.sh/release.v1 1 16d
root@vmi1026661:~# kubectl describe secret cicd
Name: cicd
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name: cicd
kubernetes.io/service-account.uid: 788f7501-1eac-44c9-9d76-7f5e7ae3d872
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1099 bytes
namespace: 7 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IlUyQzNBcmx3RFhBeGdWRjlibEtfZkRPMC12Z0RpU1BHYjFLaWN3akViVVUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZ XRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZ XJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImNpY2QiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2Nvd W50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiY2ljZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291b nQvc2VydmljZS1hY2NvdW50LnVpZCI6Ijc4OGY3NTAxLTFlYWMtNDRjOS05ZDc2LTdmNWU3YWUzZDg3M iIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmNpY2QifQ.Uqpr96YyYgdCHQ-GLP lDMYgF_kzO7LV5B92voDjIPlXa_IQxAL9BdQyFAQmSRS71tLxbm9dvQt8h6mCsfPE_-ixgcpStuNcPtw GLAvVqrALVW5Qb9e2o1oraMq2w9s1mNSF-J4UaaKvaWJY_2X7pYgSdiiWp7AZg6ygMsJEjVWg2-dLroM-lp1VDMZB_lJPjZ90-lkbsnxh7f_zUeI8GqSBXcomootRmDOZyCywFAeBeWqkLTb149VNPJpYege4nH7A1ASWg-_rCfxvrq_92V2vGFBSvQ
T6-uzl_pOLZ452rZmCsd5fkOY17sbXXCOcesnQEQdRlw4-GENDcv7IA
root@vmi1026661:~# kubectl describe sa cicd
Name: cicd
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: <none>
Tokens: cicd
Events: <none>
root@vmi1026661:~# kubectl get sa cicd -oyaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: "2022-10-26T12:54:45Z"
name: cicd
namespace: default
resourceVersion: "2206462"
uid: 788f7501-1eac-44c9-9d76-7f5e7ae3d872
root@vmi1026661:~# kubectl get sa,secret
NAME SECRETS AGE
serviceaccount/cicd 0 82s
serviceaccount/default 0 16d
NAME TYPE DATA AGE
secret/cicd kubernetes.io/service-account-token 3 34s
secret/repo-docker-registry-secret Opaque 3 16d
secret/sh.helm.release.v1.repo.v1 helm.sh/release.v1 1 16d
root@vmi1026661:~# ^C
root@vmi1026661:~# kubectl describe secret cicd
Name: cicd
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name: cicd
kubernetes.io/service-account.uid: 788f7501-1eac-44c9-9d76-7f5e7ae3d872
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1099 bytes
namespace: 7 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IlUyQzNBcmx3RFhBeGdWRjlibEtfZkRPMC12Z0RpU1BHYjFLaWN3akViVVUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW5
0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImNpY2QiLCJrdWJlc
m5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiY2ljZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6Ijc4OG
Y3NTAxLTFlYWMtNDRjOS05ZDc2LTdmNWU3YWUzZDg3MiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmNpY2QifQ.Uqpr96YyYgdCHQ-GLPlDMYgF_kzO7LV5-02voDjIP
lXa_IQxAL9BdQyFAQmSRS71tLxbm9dvQt8h6mCsfPE_-ixgcpStuNcPtwGLAvVqrALVW5Qb9e2o1oraMq2w9s1mNSF-J4UaaKvaWJY_2X7pYgSdiiWp7AZg6ygMsJEjVWg2-dLroM-lp1VDMZ
B_lJPjZ9DtBblkbsnxh7f_zUeI8GqSBXcomootRmDOZyCywFAeBeWqkLTb149VNPJpYege4nH7A1ASWg-_rCfxvrq_92V2vGFBSvQT6-uzl_pOLZ452rZmCsd5fkOY17sbXXCOcesnQEQdRlw4-GENDcv7IA
root@vmi1026661:~#
root@vmi1026661:~#
如你所见,我收到错误:
root@vmi1026661:~# kubectl exec cicd cat /run/secrets/kubernetes.io/serviceaccount/token && echo
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
error: unable to upgrade connection: container not found ("cicd")
root@vmi1026661:~# kubectl exec cicd cat /run/secrets/kubernetes.io/serviceaccount/token && echo
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
error: unable to upgrade connection: container not found ("cicd")
root@vmi1026661:~# kubectl create token cicd
您知道完成此步骤的适当命令应该是什么吗?
编辑:这是故障排除的结果
root@vmi1026661:~# kubectl get pods
NAME READY STATUS RESTARTS AGE
cicd 1/1 Running 0 67m
repo-docker-registry-78d6c5bdb5-r68jb 0/1 Pending 0 16d
root@vmi1026661:~# kubectl describe pod cicd
Name: cicd
Namespace: default
Priority: 0
Service Account: cicd
Node: vmi1026660/38.242.240.39
Start Time: Wed, 26 Oct 2022 14:54:57 +0200
Labels: <none>
Annotations: <none>
Status: Running
IP: 10.244.1.13
IPs:
IP: 10.244.1.13
Containers:
cicd:
Container ID: containerd://ab44fc463f97316ba807efce0c82e276cf06326e1d03846c1f6186484ff9fcbb
Image: nginx
Image ID: docker.io/library/nginx@sha256:47a8d86548c232e44625d813b45fd92e81d07c639092cd1f9a49d98e1fb5f737
Port: <none>
Host Port: <none>
State: Running
Started: Wed, 26 Oct 2022 14:55:22 +0200
Ready: True
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-xggpn (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
kube-api-access-xggpn:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events: <none>
root@vmi1026661:~#
小智 8
您可以通过以下方式完成所需的命令:
kubectl exec -it <POD_NAME> -c <CONTAINER_NAME> -- /bin/bash
cat /run/secrets/kubernetes.io/serviceaccount/token && echo
注意:如果您的 Pod 中只有 1 个容器,则可以省略-c <CONTAINER_NAME>
-itstdin是and的缩写tty-> 这是你的 [COMMAND]
/bin/bash这里是一个参数,你可以传递多个
--分隔您想要传递的参数
运行第一个命令后,您将进入 bash shell,并且可以在容器内运行任何其他命令。
| 归档时间: |
|
| 查看次数: |
9465 次 |
| 最近记录: |