kubernetes的Service Account
#定义namespace:test
cat >> test.yaml << EOF
apiVersion: v1
kind: Namespace
metadata:
name: test
labels:
name: test
#创建namespace:test
kubectl create -f ./test.yaml
#查看命名空间test的sa
kubectl get sa -n test
NAME SECRETS AGE
default 1 3h
##说明:
(1)如果kubernetes开启了ServiceAccount(–admission_control=…,
ServiceAccount,… )那么会在每个namespace下面都会创建一个默认的default
的sa。如上命令查看的default !
(2)ServiceAccount默认是开启的。
#查看命名空间test生成的default
kubectl get sa default -o yaml -n test
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: 2018-05-31T06:21:10Z
name: default
namespace: test
resourceVersion: "45560"
selfLink: /api/v1/namespaces/test/serviceaccounts/default
uid: cf57c735-649a-11e8-adc5-000c290a7d06
secrets:
- name: default-token-ccf9m
##说明:
(1)当用户再该namespace下创建pod的时候都会默认使用这个sa;
(2)每个Pod在创建后都会自动设置spec.serviceAccount为default(除非指定
了其他ServiceAccout);
(3)每个container启动后都会挂载对应的token和ca.crt到/var/run/secrets/
kubernetes.io/serviceaccount/。
#创建deploy
cat >> nginx_deploy.yaml << EOF
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx-test
namespace: test
spec:
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.7.9
ports:
- containerPort: 80
#查看生成的Pods
kubectl get po -n test
NAME READY STATUS RESTARTS AGE
nginx-test-75675f5897-7l5bc 1/1 Running 0 1h
nginx-test-75675f5897-b7pcn 1/1 Running 0 1h
#查看其中一个Pod的详细信息,如:nginx-test-75675f5897-7l5bc
kubectl describe po nginx-test-75675f5897-7l5bc -n test
##其中default-token-ccf9m,请留意!
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from default-token-ccf9m (ro)
Conditions:
Type Status
Initialized True
Ready True
PodScheduled True
Volumes:
default-token-ccf9m:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-ccf9m
##说明:
(1)每个Pod在创建后都会自动设置spec.serviceAccount为default(除非指定
了其他ServiceAccout);
(2)每个container启动后都会挂载对应的token和ca.crt到/var/run/secrets/
kubernetes.io/serviceaccount/。
#进入其中一个Pod的容器内,如:nginx-test-75675f5897-7l5bc
kubectl exec -it nginx-test-75675f5897-7l5bc /bin/bash --namespace=test
##在容器内执行:
ls -l /var/run/secrets/kubernetes.io/serviceaccount/
lrwxrwxrwx 1 root root 13 May 31 08:15 ca.crt -> ..data/ca.crt
lrwxrwxrwx 1 root root 16 May 31 08:15 namespace -> ..data/namespace
lrwxrwxrwx 1 root root 12 May 31 08:15 token -> ..data/token
##说明:
可以看到已将ca.crt 、namespace和token放到容器内了,那么这个容器就
可以通过https的请求访问apiserver了。
5.手动创建Service Account
#编辑heapster_test.yaml文件
cat >> heapster_test.yaml <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: heapster
namespace: test
#创建Service Account:heapster
kubectl create -f heapster_test.yaml
serviceaccount "heapster" created
#查看Service Account:heapster
kubectl get sa -o yaml -n test
##主要内容如下:
secrets:
- name: heapster-token-7xrlg
6.Service Account鉴权
Service Account为服务提供了一种方便的认知机制,但它不关心授权的问题。可以配合RBAC来为Service Account鉴权:
(1)配置--authorization-mode=RBAC和--runtime-config=rbac.authorization.k
8s.io/v1alpha1
(2)配置--authorization-rbac-super-user=admin
(3)定义Role、ClusterRole、RoleBinding或ClusterRoleBinding
#实战
我们在Kubernetes Dashboard1.8.3部署中,碰到首次登入出现访问权限报错的问题,原因就是ServiceAccount的创建问题。
cat >> kube-dashboard-access.yaml << EOF
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
labels:
k8s-app: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
7.参考文章
https://www.ctolib.com/docs/sfile/kubernetes-handbook/architecture/serviceaccount.html
https://blog.csdn.net/u010278923/article/details/72857928