1, from Kubernetes obtain ServiceAccount token

Service Account yes Kubernetes Programs for running in a cluster , Called when service discovery occurs API Account number of , Account number token Will be mounted directly to Pod
in , It can be used directly by the program ,ServiceAccount To run in Pod The process in provides an identity

If kubernetes It's on ServiceAccount, Then it will be in each namespace A default default Of sa. I use the default here default.

step :

(1) Log in to kubernetes In the cluster , Using commands

kubectl get -n uase-iot-dev secret

uase-iot-dev It's your namespace

Then use the kubectl get -n uase-iot-dev secret default-token-v0jdt -o yaml

Check and get it token, But this one token It's a process base64 Encrypted , So we have to token decrypt

echo token | base64 -d

Save the decryption results , It will be used later


2, get Kubernetes CA certificate

Sign in kubernetes colony , stay /etc/kubernetes/pki Under the table of contents , There is one ca.crt The document is kubernetes Certificate for

The format of the certificate is as follows :




3, stay gitlab Integration in kubernetes

Sign in gitlab, Choose your project , Select on the left Settings Under the Integrations, Pull down to find it kubernetes, Click to enter

Then enter the following :

API URL:kubernetes Clustered API URL, kubernetes API Server Public address

CA Certificate:kubernetes Of CA certificate

Project namespace (optional/unique):kubernetes Namespace for

Token: Previously obtained token,base64 Decoded

then save changes that will do

4, add to .gitlab-ci.yml To project

Add in project root .gitlab-ci.yml configuration file , This file is the script for writing automated deployment , Including dozen jar package , Mirror image , Auto deploy to kubernetes



stay deploy-huang-test stage ,image yes registry.gitlab.com/gitlab-examples/kubernetes-deploy Mirror image of , In the picture above, we pulled it down and uploaded it to our private server


In the configuration file ${} It's all in gitlab Configured in , stay Setting Under the CI/CD Medium Secret variables

5, to service account to grant authorization

We use service account It's default default, It does not have any permissions by default , We need to empower him , Otherwise, the following error will be reported :

Error from server (Forbidden)

Authorization steps :

Sign in kubernetes colony , Execute the following command :

kubectl create rolebinding default-edit --clusterrole=edit
--serviceaccount=uase-iot-dev:default --namespace=uase-iot-dev


uase-iot-dev It's your namespace


such default We have the right to execute our deployment scripts


The results are as follows :

6, Mistakes encountered

(1)Unable to connect to the server: x509: certificate signed by unknown

I came across this mistake because of a wrong certificate , The certificate I used was previously obtained token There are ca certificate , So I reported this mistake . The correct certificate is in /etc/kubernetes/pki Directory ca.crt.

(2)Error from server (Forbidden): error when creating
"gitlabci/deployment.yml": User "system:serviceaccount:uase-iot-dev:default"

This mistake is because it was not given default to grant authorization

©2019-2020 Toolsou All rights reserved,
about String How to create objects JavaScript Hundred refining into Immortals 1.15 Legendary Is MCU embedded , It's a cliche Resume the 13th session python Blue Bridge Cup html+css+js Make a simple website home page java Connect to the database to realize basic addition, deletion, modification and query VHDL——JK trigger Java of JDBC programming 3 4j It's not legal python expression _3+4j It's not legal Python expression .【linux】shell: ordinary shell Script exercise