kubectl get node
kubectl get nodeNAME STATUS ROLES AGE VERSION10.0.4.144 Ready <none> 24h v1.22.5-tke.1
kubectl get pod -n kube-systemNAMESPACE NAME READY STATUS RESTARTS AGEkube-system pod-identity-webhook-78c76****-9qrpj 1/1 Running 0 43h
$db_address
.$db_port
.0.0.0.0/0
, and the Protocol port is TCP:3306
.mysql -h $db_address -P $db_port -uroot -pEnter password:Welcome to the MariaDB monitor. Commands end with ; or \\g.Your MySQL connection id is 4238098Server version: 5.7.36-txsql-log 20211230Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.Type 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.MySQL [(none)]>
MySQL [(none)]> CREATE DATABASE mydb;Query OK, 1 row affected (0.00 sec)MySQL [(none)]> CREATE TABLE mydb.user (Id VARCHAR(120), Name VARCHAR(120));Query OK, 0 rows affected (0.00 sec)MySQL [(none)]> INSERT INTO mydb.user (Id,Name) VALUES ('123','tke-oidc');Query OK, 1 row affected (0.01 sec)MySQL [(none)]> SELECT * FROM mydb.user;+------+----------+| Id | Name |+------+----------+| 123 | tke-oidc |+------+----------+1 row in set (0.01 sec)
$db_name
.%
if you don't want to specify$ssm_name
.$ssm_region_name
.$my_pod_audience
. When multiple values are available to odic:aud, select any one of them.$my_pod_role_arn
.kubectl create namespace my-namespace
$my_pod_role_arn
with the value of RoleArn, and replace $my_pod_audience
with the value of odic:aud.apiVersion: v1kind: ServiceAccountmetadata:name: my-serviceaccountnamespace: my-namespaceannotations:tke.cloud.tencent.com/role-arn: $my_pod_role_arntke.cloud.tencent.com/audience: $my_pod_audiencetke.cloud.tencent.com/token-expiration: "86400"
apiVersion: apps/v1kind: Deploymentmetadata:name: nginx-deploymentnamespace: my-namespacespec:selector:matchLabels:app: my-appreplicas: 1template:metadata:labels:app: my-appspec:serviceAccountName: my-serviceaccountcontainers:- name: nginximage: $imageports:- containerPort: 80
ccr.ccs.tencentyun.com/tkeimages/sample-application:latest
is selected for $image
, which integrates with the compiled demo file. You can enter it as needed.kubectl apply -f my-serviceaccount.yamlkubectl apply -f sample-application.yaml
kubectl get pods -n my-namespace
NAME READY STATUS RESTARTS AGEnginx-deployment-6bfd845f47-9zxld 1/1 Running 0 67s
kubectl describe pod nginx-deployment-6bfd845f47-9zxld -n my-namespace
shell git clone https://github.com/TencentCloud/ssm-rotation-sdk-golang.git
package mainimport ("flag""fmt"_ "github.com/go-sql-driver/mysql""github.com/tencentcloud/ssm-rotation-sdk-golang/lib/db""github.com/tencentcloud/ssm-rotation-sdk-golang/lib/ssm""github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common""log""time")var (roleArn, tokenPath, providerId, regionName, saToken stringsecretName, dbAddress, dbName, ssmRegionName stringdbPort uint64dbConn *db.DynamicSecretRotationDbHeader = map[string]string{"Authorization": "SKIP","X-TC-Action": "AssumeRoleWithWebIdentity","Host": "sts.internal.tencentcloudapi.com","X-TC-RequestClient": "PHP_SDK","X-TC-Version": "2018-08-13","X-TC-Region": regionName,"X-TC-Timestamp": "1659944952","Content-type": "application/json",})type Credentials struct {TmpSecretId stringTmpSecretKey stringToken stringExpiredTime uint64}func main() {flag.StringVar(&secretName, "ssmName", "", "ssm name")flag.StringVar(&ssmRegionName, "ssmRegionName", "", "ssm region")flag.StringVar(&dbAddress, "dbAddress", "", "database address")flag.StringVar(&dbName, "dbName", "", "database name")flag.Uint64Var(&dbPort, "dbPort", 0, "database port")flag.Parse()provider, err := common.DefaultTkeOIDCRoleArnProvider()if err != nil {log.Fatal("failed to assume role with web identity, err:", err)}assumeResp, err := provider.GetCredential()if err != nil {log.Fatal("failed to assume role with web identity, err:", err)}var credential Credentialsif assumeResp != nil {credential = Credentials{TmpSecretId: assumeResp.GetSecretId(),TmpSecretKey: assumeResp.GetSecretKey(),Token: assumeResp.GetToken(),}}log.Printf("secretId:%v,secretey%v,token%v\\n", credential.TmpSecretId, credential.TmpSecretKey, credential.Token)DB(credential)}func DB(credential Credentials) {// Initialize the database connectiondbConn = &db.DynamicSecretRotationDb{}err := dbConn.Init(&db.Config{DbConfig: &db.DbConfig{MaxOpenConns: 100,MaxIdleConns: 50,IdleTimeoutSeconds: 100,ReadTimeoutSeconds: 5,WriteTimeoutSeconds: 5,SecretName: secretName, // Secret nameIpAddress: dbAddress, // Database addressPort: dbPort, // Database portDbName: dbName, // Leave it empty or specify a database nameParamStr: "charset=utf8&loc=Local",},SsmServiceConfig: &ssm.SsmAccount{SecretId: credential.TmpSecretId, // Fill in the actual available SecretIdSecretKey: credential.TmpSecretKey, // Fill in the actual available SecretKeyToken: credential.Token,Region: ssmRegionName, // Select the region where the secret is stored},WatchChangeInterval: time.Second * 10, // Interval to check the secret rotation})if err != nil {fmt.Errorf("failed to init dbConn, err:%v\\n", err)return}// In the simulation process, you need to get a db connection to operate the database at regular intervals (usually in milliseconds)t := time.Tick(time.Second)for {select {case <-t:accessDb()queryDb()}}}func accessDb() {fmt.Println("--- accessDb start")c := dbConn.GetConn()if err := c.Ping(); err != nil {log.Fatal("failed to access db with err:", err)}log.Println("--- succeed to access db")}func queryDb() {var (id intname string)log.Println("--- queryDb start")c := dbConn.GetConn()rows, err := c.Query("select id, name from user where id = ?", 1)if err != nil {log.Printf("failed to query db with err: ", err)log.Fatal(err)}defer rows.Close()for rows.Next() {err := rows.Scan(&id, &name)if err != nil {log.Fatal(err)}log.Println(id, name)}err = rows.Err()if err != nil {log.Fatal(err)}log.Println("--- succeed to query db")}
kubectl exec -ti nginx-deployment-6bfd845f47-9zxld -n my-namespace -- /bin/bashcd /root/
./demo --ssmName=$ssm_name --ssmRegionName=$ssm_region_name --dbAddress=$db_address --dbName=$db_name --dbPort=$db_port
Feature | Involved Object | Involved Operation Permission |
It is required to inquire about the resource status of the specified serviceaccounts on the created pod. | serviceaccount | list/watch/get |
When creating components, it is required to inject the client's certificate in the resource of mutatingwebhookconfigurations. | mutatingwebhookconfigurations | get/update |
rules:- apiGroups:- ""resources:- serviceaccountsverbs:- get- watch- list- apiGroups:- ""resources:- eventsverbs:- patch- update- apiGroups:- "admissionregistration.k8s.io"resources:- "mutatingwebhookconfigurations"verbs:- get
Was this page helpful?