From 7fa4ff6310fb60593532a4761f02dcf4b2c87cf4 Mon Sep 17 00:00:00 2001 From: makocchi Date: Sun, 23 Dec 2018 10:05:56 +0900 Subject: [PATCH] Remove command prompts and separate commands from output [Authenticating] (#11851) * remove command prompts and separate commands from output * tweak comment --- .../access-authn-authz/authentication.md | 40 +++++++++++++++---- 1 file changed, 32 insertions(+), 8 deletions(-) diff --git a/content/en/docs/reference/access-authn-authz/authentication.md b/content/en/docs/reference/access-authn-authz/authentication.md index 1828be30b2..87da0ca10c 100644 --- a/content/en/docs/reference/access-authn-authz/authentication.md +++ b/content/en/docs/reference/access-authn-authz/authentication.md @@ -217,10 +217,21 @@ Kubernetes API. To manually create a service account, simply use the `kubectl create serviceaccount (NAME)` command. This creates a service account in the current namespace and an associated secret. +```bash +kubectl create serviceaccount jenkins ``` -$ kubectl create serviceaccount jenkins + +```none serviceaccount "jenkins" created -$ kubectl get serviceaccounts jenkins -o yaml +``` + +Check an associated secret: + +```bash +kubectl get serviceaccounts jenkins -o yaml +``` + +```yaml apiVersion: v1 kind: ServiceAccount metadata: @@ -232,8 +243,11 @@ secrets: The created secret holds the public CA of the API server and a signed JSON Web Token (JWT). +```bash +kubectl get secret jenkins-token-1yvwg -o yaml ``` -$ kubectl get secret jenkins-token-1yvwg -o yaml + +```yaml apiVersion: v1 data: ca.crt: (APISERVER'S CA BASE64 ENCODED) @@ -391,7 +405,7 @@ Once your `id_token` expires, `kubectl` will attempt to refresh your `id_token` The `kubectl` command lets you pass in a token using the `--token` option. Simply copy and paste the `id_token` into this option: -``` +```bash kubectl --token=eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL21sYi50cmVtb2xvLmxhbjo4MDQzL2F1dGgvaWRwL29pZGMiLCJhdWQiOiJrdWJlcm5ldGVzIiwiZXhwIjoxNDc0NTk2NjY5LCJqdGkiOiI2RDUzNXoxUEpFNjJOR3QxaWVyYm9RIiwiaWF0IjoxNDc0NTk2MzY5LCJuYmYiOjE0NzQ1OTYyNDksInN1YiI6Im13aW5kdSIsInVzZXJfcm9sZSI6WyJ1c2VycyIsIm5ldy1uYW1lc3BhY2Utdmlld2VyIl0sImVtYWlsIjoibXdpbmR1QG5vbW9yZWplZGkuY29tIn0.f2As579n9VNoaKzoF-dOQGmXkFKf1FMyNV0-va_B63jn-_n9LGSCca_6IVMP8pO-Zb4KvRqGyTP0r3HkHxYy5c81AnIh8ijarruczl-TK_yF5akjSTHFZD-0gRzlevBDiH8Q79NAr-ky0P4iIXS8lY9Vnjch5MF74Zx0c3alKJHJUnnpjIACByfF2SCaYzbWFMUNat-K1PaUk5-ujMBG7yYnr95xD-63n8CO8teGUAAEMx6zRjzfhnhbzX-ajwZLGwGUBT4WqjMs70-6a7_8gZmLZb2az1cZynkFRj2BaCkVT3A2RrjeEwZEtGXlMqKJ1_I2ulrOVsYx01_yD35-rw get nodes ``` @@ -620,11 +634,21 @@ Impersonate-Extra-scopes: development When using `kubectl` set the `--as` flag to configure the `Impersonate-User` header, set the `--as-group` flag to configure the `Impersonate-Group` header. -```shell -$ kubectl drain mynode -Error from server (Forbidden): User "clark" cannot get nodes at the cluster scope. (get nodes mynode) +```bash +kubectl drain mynode +``` -$ kubectl drain mynode --as=superman --as-group=system:masters +```none +Error from server (Forbidden): User "clark" cannot get nodes at the cluster scope. (get nodes mynode) +``` + +Set the `--as` and `--as-group` flag: + +```bash +kubectl drain mynode --as=superman --as-group=system:masters +``` + +```none node/mynode cordoned node/mynode drained ```