这很棘手，因为如果您使用客户端证书对kubernetes进行身份验证，则使用kubectl覆盖令牌的令牌服务器将无法正常工作，因为使用证书进行身份验证的时间很早TLS握手过程中的过程.即使您在kubectl中提供了令牌，也会被忽略.这就是您能够获取机密的原因，因为客户端证书有权获取机密，并且令牌会被忽略.

This is tricky because if you are using client certificate for authenticating to kubernetes API server overriding token with kubectl is not going to work because the authentication with certificate happens early in the process during the TLS handshake.Even if you provide a token in kubectl it will be ignored.This is the reason why you are able to get secrets because the client certificate have permission to get secrets and the token is ignored.

因此，如果要使用kubectl令牌，则kubeconfig文件不应具有客户端证书，然后可以在Kubectl中使用--token标志覆盖该令牌.请参阅问题中的讨论服务帐户令牌的kubeconfig文件.

So if you want to use kubectl token the kubeconfig file should not have client certificate and then you can override that token with --token flag in Kubectl. See the discussion in the question on how to create a kubeconfig file for a service account token.

您还可以使用命令查看在kubectl命令中发送的承载令牌

Also you can view the bearer token being sent in kubectl command using command

kubectl get pods --v=10 2>&1 | grep -i bearer