$ kubectl create serviceaccount deployer
$ export SA_NAME=$(kubectl get sa deployer -o jsonpath="{.secrets[*]['name']}")
$ export SA_TOKEN=$(kubectl get secret $SA_NAME -o jsonpath="{.data.token}" | base64 --decode)
$ export SA_CA_CRT=$(kubectl get secret $SA_NAME -o jsonpath="{.data.ca\.crt}" | base64 --decode)
Use as Authorization: Bearer <SA_TOKEN>
in the restful API request from external client.
Cluster signer for client certificates is not enabled by default in Rancher (we use JWT Token for service accounts instead - see above).
To enable it, update cluster YAML configuration by adding these extra_args
:
services:
kube-controller:
extra_args:
cluster-signing-cert-file: /etc/kubernetes/ssl/kube-ca.pem
cluster-signing-key-file: /etc/kubernetes/ssl/kube-ca-key.pem
$ cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: my-client-cert
spec:
groups:
- system:authenticated
request: <BASE64_CSR>
usages:
- digital signature
- key encipherment
- server auth
- client auth
EOF
$ kubectl certificate approve my-client-cert
$ kubectl get csr my-client-cert -o jsonpath='{.status.certificate}' | base64 --decode
Note, that service account tokens and client certificates are only authenticated on the downstream API (Authorized Cluster Endpoint). To authenticate on the central Rancher Management endpoint, you need a Rancher managed API token.