Openshift Admin Token

青春壹個敷衍的年華 提交于 2020-02-06 07:34:08

问题


I am trying to create a script that records project resources every 15 minutes. How do I authenticate with Openshift API? Is there a token I can use that has read access on all namespaces? How do I create a service account that has access over all namespaces?


回答1:


You'll need to create a ClusterRole that has read access to the resources and use ClusterRoleBinding to associate the ServiceAccount to that ClusterRole. Rough example, not tested but it should work:

# creates the service account "ns-reader"
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ns-reader
  namespace: default

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: global-reader
rules:
- apiGroups: [""]
  # add other rescources you wish to read
  resources: ["pods", "secrets"] 
  verbs: ["get", "watch", "list"]

---
# This cluster role binding allows service account "ns-reader" to read pods in all available namespace
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-ns
subjects:
- kind: ServiceAccount
  name: ns-reader
  namespace: default
roleRef:
  kind: ClusterRole
  name: global-reader
  apiGroup: rbac.authorization.k8s.io

When the ServiceAccount is setup, a number of secrets are created automatically associated with it. A couple of these secrets hold a token which can then be used when using the REST API directly or using oc. Use oc describe on the ServiceAccount to see the names of the Secret for the tokens. Then use oc describe on one of the Secrets to see the token.



来源:https://stackoverflow.com/questions/49667239/openshift-admin-token

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!