ServiceAccount
Service account 是为了方便 Pod 里面的进程调用 Kubernetes API 或其他外部服务而设计的。它与 User account 不同
    User account 是为人设计的,而 service account 则是为 Pod 中的进程调用 Kubernetes API 而设计;
    User account 是跨 namespace 的,而 service account 则是仅局限它所在的 namespace;
    每个 namespace 都会自动创建一个 default service account
    Token controller 检测 service account 的创建,并为它们创建 secret
    开启 ServiceAccount Admission Controller 后
      每个 Pod 在创建后都会自动设置 spec.serviceAccountName 为 default(除非指定了其他 ServiceAccout)
      验证 Pod 引用的 service account 已经存在,否则拒绝创建
      如果 Pod 没有指定 ImagePullSecrets,则把 service account 的 ImagePullSecrets 加到 Pod 中
      每个 container 启动后都会挂载该 service account 的 token 和 ca.crt/var/run/secrets/kubernetes.io/serviceaccount/
1
$ kubectl exec nginx-3137573019-md1u2 ls /var/run/secrets/kubernetes.io/serviceaccount
2
ca.crt
3
namespace
4
token
Copied!
注:你可以使用 https://jwt.io/ 来查看 token 的详细信息(如 PAYLOAD、SIGNATURE 等)。

创建 Service Account

1
$ kubectl create serviceaccount jenkins
2
serviceaccount "jenkins" created
3
$ kubectl get serviceaccounts jenkins -o yaml
4
apiVersion: v1
5
kind: ServiceAccount
6
metadata:
7
creationTimestamp: 2017-05-27T14:32:25Z
8
name: jenkins
9
namespace: default
10
resourceVersion: "45559"
11
selfLink: /api/v1/namespaces/default/serviceaccounts/jenkins
12
uid: 4d66eb4c-42e9-11e7-9860-ee7d8982865f
13
secrets:
14
- name: jenkins-token-l9v7v
Copied!
自动创建的 secret:
1
kubectl get secret jenkins-token-l9v7v -o yaml
2
apiVersion: v1
3
data:
4
ca.crt: (APISERVER CA BASE64 ENCODED)
5
namespace: ZGVmYXVsdA==
6
token: (BEARER TOKEN BASE64 ENCODED)
7
kind: Secret
8
metadata:
9
annotations:
10
kubernetes.io/service-account.name: jenkins
11
kubernetes.io/service-account.uid: 4d66eb4c-42e9-11e7-9860-ee7d8982865f
12
creationTimestamp: 2017-05-27T14:32:25Z
13
name: jenkins-token-l9v7v
14
namespace: default
15
resourceVersion: "45558"
16
selfLink: /api/v1/namespaces/default/secrets/jenkins-token-l9v7v
17
uid: 4d697992-42e9-11e7-9860-ee7d8982865f
18
type: kubernetes.io/service-account-token
Copied!

添加 ImagePullSecrets

1
apiVersion: v1
2
kind: ServiceAccount
3
metadata:
4
creationTimestamp: 2015-08-07T22:02:39Z
5
name: default
6
namespace: default
7
selfLink: /api/v1/namespaces/default/serviceaccounts/default
8
uid: 052fb0f4-3d50-11e5-b066-42010af0d7b6
9
secrets:
10
- name: default-token-uudge
11
imagePullSecrets:
12
- name: myregistrykey
Copied!

授权

Service Account 为服务提供了一种方便的认证机制,但它不关心授权的问题。可以配合 RBAC 来为 Service Account 鉴权:
    配置 --authorization-mode=RBAC--runtime-config=rbac.authorization.k8s.io/v1alpha1
    配置 --authorization-rbac-super-user=admin
    定义 Role、ClusterRole、RoleBinding 或 ClusterRoleBinding
比如
1
# This role allows to read pods in the namespace "default"
2
kind: Role
3
apiVersion: rbac.authorization.k8s.io/v1alpha1
4
metadata:
5
namespace: default
6
name: pod-reader
7
rules:
8
- apiGroups: [""] # The API group"" indicates the core API Group.
9
resources: ["pods"]
10
verbs: ["get", "watch", "list"]
11
nonResourceURLs: []
12
---
13
# This role binding allows "default" to read pods in the namespace "default"
14
kind: RoleBinding
15
apiVersion: rbac.authorization.k8s.io/v1alpha1
16
metadata:
17
name: read-pods
18
namespace: default
19
subjects:
20
- kind: ServiceAccount # May be "User", "Group" or "ServiceAccount"
21
name: default
22
roleRef:
23
kind: Role
24
name: pod-reader
25
apiGroup: rbac.authorization.k8s.io
Copied!
最近更新 2yr ago