方法為：

1. 創(chuàng)建一個(gè)ServiceAccount
2. 給ServiceAccount賦權(quán)限為admin（也可以根據(jù)實(shí)際情況自定義權(quán)限）
3. 使用token就可以訪問(wèn)整個(gè)k8s api server的所有資源了

# 1. 定義一個(gè)ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
  name: demo-sa
  namespace: demo-ns
---
# 2. 將ServiceAccount綁定為ROLE admin
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: demo-sa
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: demo-sa
    namespace: demo-ns
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo-app
  namespace: demo-ns
  labels:
    app: demo-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: demo-app
  template:
    metadata:
      labels:
        app: demo-app
    spec:
      containers:
        - name: demo-app
          image: registry.my:15000/demo/demo-app:1.0.0
          imagePullPolicy: Always
      # 使用ServiceAccount給POD授權(quán)
      serviceAccount: demo-sa
      serviceAccountName: demo-sa
      restartPolicy: Always

在POD中使用ServiceAccount氓仲，demo-sa會(huì)被掛載到路徑 /var/run/secrets/kubernetes.io/serviceaccount/token中水慨。

$ TOKEN=`cat /var/run/secrets/kubernetes.io/serviceaccount/token`
$ APISERVER="https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT_HTTPS"
$ curl --header "Authorization: Bearer $TOKEN" -k -s $APISERVER/apis/batch/v1/jobs
{
...略去...
}

常見(jiàn)的URL包括兩大類(lèi)/api和/apis

其中，/api對(duì)應(yīng)的是core資源敬扛，例如：namespace晰洒、pod；/apis對(duì)應(yīng)的非核心資源啥箭，例如：deployment谍珊、statefulset

小技巧：可以使用kubectl explain命令來(lái)查詢

通過(guò)命令kubectl explain查詢到的內(nèi)容，根據(jù)VERSION可以看出使用/api訪問(wèn)還是通過(guò)/apis訪問(wèn)急侥。
例如：

$ kubectl explain pod
KIND:     Pod
VERSION:  v1

DESCRIPTION:
     Pod is a collection of containers that can run on a host. This resource is
     created by clients and scheduled onto hosts.
... 略去 ...

VRESION: v1砌滞，則通過(guò)/api訪問(wèn)
api/v1/pods

如果是其他VERSION，則通過(guò)VERSION中提供的group和版本號(hào)進(jìn)行訪問(wèn)
例如：

$ kubectl explain job
KIND:     Job
VERSION:  batch/v1

DESCRIPTION:
     Job represents the configuration of a single job.
...略去...

則通過(guò)/apis訪問(wèn)
apis/batch/v1/jobs

CRD對(duì)象也適用于以上的規(guī)則坏怪，例如：

$ kubectl explain Kibana
KIND:     Kibana
VERSION:  kibana.k8s.elastic.co/v1

DESCRIPTION:
     Kibana represents a Kibana resource in a Kubernetes cluster.
...略去...

可以通過(guò)/apis/kibana.k8s.elastic.co/v1/kibanas進(jìn)行訪問(wèn)贝润，例如：

$ curl --header "Authorization: Bearer $TOKEN" -k -s $APISERVER/apis/kibana.k8s.elastic.co/v1/kibanas
{
  "apiVersion": "kibana.k8s.elastic.co/v1",
  "items": [
    {
      "apiVersion": "kibana.k8s.elastic.co/v1",
      "kind": "Kibana",
      "metadata": {
        "...略去...": ""
      },
      "...略去...": ""
    }
  ],
  "kind": "KibanaList",
  "metadata": {
    "continue": "",
    "resourceVersion": "185223937"
  }
}