Openshift Admin Token

2019-08-16 16:15发布

问题:

I am trying to create a script that records project resources every 15 minutes. How do I authenticate with Openshift API? Is there a token I can use that has read access on all namespaces? How do I create a service account that has access over all namespaces?

回答1:

You'll need to create a ClusterRole that has read access to the resources and use ClusterRoleBinding to associate the ServiceAccount to that ClusterRole. Rough example, not tested but it should work:

# creates the service account "ns-reader"
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ns-reader
  namespace: default

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: global-reader
rules:
- apiGroups: [""]
  # add other rescources you wish to read
  resources: ["pods", "secrets"] 
  verbs: ["get", "watch", "list"]

---
# This cluster role binding allows service account "ns-reader" to read pods in all available namespace
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-ns
subjects:
- kind: ServiceAccount
  name: ns-reader
  namespace: default
roleRef:
  kind: ClusterRole
  name: global-reader
  apiGroup: rbac.authorization.k8s.io

When the ServiceAccount is setup, a number of secrets are created automatically associated with it. A couple of these secrets hold a token which can then be used when using the REST API directly or using oc. Use oc describe on the ServiceAccount to see the names of the Secret for the tokens. Then use oc describe on one of the Secrets to see the token.