以下通过现有的admin权限kubeconfig文件生成可用于Bearer Token验证的内容。

note

以下方式生成的Bearer Token是长期有效的，请妥善保管。

1. 创建ServiceAccount和相关资源

其中的命名空间kube-system可根据需要调整。

# serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-token-user
  namespace: kube-system
---
apiVersion: v1
kind: Secret
metadata:
  name: admin-token-user-secret
  namespace: kube-system
  annotations:
    kubernetes.io/service-account.name: admin-token-user
type: kubernetes.io/service-account-token
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-token-user-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-token-user
  namespace: kube-system

2. 应用配置并获取Token

# 应用配置
kubectl apply -f serviceaccount.yaml

# 获取Token
TOKEN=$(kubectl get secret admin-token-user-secret -n kube-system -o jsonpath='{.data.token}' | base64 -d)

# 获取集群CA证书
CA_CERT=$(kubectl get secret admin-token-user-secret -n kube-system -o jsonpath='{.data.ca\.crt}')

# 获取API Server地址（从现有kubeconfig中提取）
API_SERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')

echo "Token: $TOKEN"
echo "API Server: $API_SERVER"

3. 生成新的kubeconfig文件

# 创建新的kubeconfig文件
cat > kubeconfig-bearer-token.yaml << EOF
apiVersion: v1
kind: Config
clusters:
- cluster:
    certificate-authority-data: $CA_CERT
    server: $API_SERVER
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: admin-token-user
  name: admin-token-user@kubernetes
current-context: admin-token-user@kubernetes
users:
- name: admin-token-user
  user:
    token: $TOKEN
EOF

4. 验证生成的Bearer Token kubeconfig

# 使用新的kubeconfig测试连接
export KUBECONFIG=kubeconfig-bearer-token.yaml

# 测试集群访问
kubectl cluster-info

# 测试权限
kubectl auth can-i "*" "*" --all-namespaces

# 测试获取节点信息
kubectl get nodes

5. 使用curl验证Bearer Token

curl -k -H "Authorization: Bearer $TOKEN" \
     -H "Content-Type: application/json" \
     $API_SERVER/api/v1/nodes