1, from Kubernetes obtain ServiceAccount token

Service Account yes Kubernetes Programs for running in a cluster , Called when service discovery occurs API Account number of , Account number token Will be mounted directly to Pod
in , It can be used directly by the program ,ServiceAccount To run in Pod The process in provides an identity

If kubernetes It's on ServiceAccount, Then it will be in each namespace A default default Of sa. I use the default here default.

step :

(1) Log in to kubernetes In the cluster , Using commands

kubectl get -n uase-iot-dev secret

uase-iot-dev It's your namespace

Then use the kubectl get -n uase-iot-dev secret default-token-v0jdt -o yaml

Check and get it token, But this one token It's a process base64 Encrypted , So we have to token decrypt

echo token | base64 -d

Save the decryption results , It will be used later


2, get Kubernetes CA certificate

Sign in kubernetes colony , stay /etc/kubernetes/pki Under the table of contents , There is one ca.crt The document is kubernetes Certificate for

The format of the certificate is as follows :




3, stay gitlab Integration in kubernetes

Sign in gitlab, Choose your project , Select on the left Settings Under the Integrations, Pull down to find it kubernetes, Click to enter

Then enter the following :

API URL:kubernetes Clustered API URL, kubernetes API Server Public address

CA Certificate:kubernetes Of CA certificate

Project namespace (optional/unique):kubernetes Namespace for

Token: Previously obtained token,base64 Decoded

then save changes that will do

4, add to .gitlab-ci.yml To project

Add in project root .gitlab-ci.yml configuration file , This file is the script for writing automated deployment , Including dozen jar package , Mirror image , Auto deploy to kubernetes



stay deploy-huang-test stage ,image yes registry.gitlab.com/gitlab-examples/kubernetes-deploy Mirror image of , In the picture above, we pulled it down and uploaded it to our private server


In the configuration file ${} It's all in gitlab Configured in , stay Setting Under the CI/CD Medium Secret variables

5, to service account to grant authorization

We use service account It's default default, It does not have any permissions by default , We need to empower him , Otherwise, the following error will be reported :

Error from server (Forbidden)

Authorization steps :

Sign in kubernetes colony , Execute the following command :

kubectl create rolebinding default-edit --clusterrole=edit
--serviceaccount=uase-iot-dev:default --namespace=uase-iot-dev


uase-iot-dev It's your namespace


such default We have the right to execute our deployment scripts


The results are as follows :

6, Mistakes encountered

(1)Unable to connect to the server: x509: certificate signed by unknown

I came across this mistake because of a wrong certificate , The certificate I used was previously obtained token There are ca certificate , So I reported this mistake . The correct certificate is in /etc/kubernetes/pki Directory ca.crt.

(2)Error from server (Forbidden): error when creating
"gitlabci/deployment.yml": User "system:serviceaccount:uase-iot-dev:default"

This mistake is because it was not given default to grant authorization

©2019-2020 Toolsou All rights reserved,
【Python】 read txt file , Gets the specified location data in the specified row Thread.getContextClassLoader And Thread.getClassLoader() difference keras from dataframe Read data and enhance the data for training ( classification + division ) use VS2019 “Windows Desktop applications ” Module creation Win32 window SSM Project's excel File upload and add to database element-ui Of el-date-picker Component get value 415 Status code to background error Conflict statement (conflicting declaration) solve SpringMVC Frame in controller Layer gets the property value of the custom configuration file be based on RK3399 PWM Drive development