【kubernetes】Kubernetes服务账号ServiceAccount

Kubernetes服务账号ServiceAccount

ServiceAccount

当你创建Pod时,如果没有指定服务账户Pod会被指定给命名空间中的default服务账户

例如:kubectl get pods/podname -o yaml, 你可以看到spec.serviceAccountName字段已经被自动设置了

查看服务账号

1
2
3
$ kubectl get serviceAccounts
NAME      SECRETS   AGE
default   1         86m

创建服务账号

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
$ kubectl create -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-robot
# automountServiceAccountToken: false #  1.6 以上版本中实现不给服务账号自动挂载,注SPEC优先级最高
EOF

$ kubectl get serviceAccounts
NAME          SECRETS   AGE
build-robot   1         2m54s
default       1         89m

$ kubectl get serviceaccounts/build-robot -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: "2022-02-08T20:02:59Z"
  name: build-robot
  namespace: default
  resourceVersion: "4790"
  uid: f7b3e50f-1010-4e5c-91ff-5bd608347aa7
secrets:
- name: build-robot-token-c2q67

清除账号

1
$ kubectl delete serviceaccount/build-robot

ServiceAccount+ClusterRole+ClusterRoleBinding

ServiceAccount.yaml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
apiVersion: v1
kind: ServiceAccount
metadata:
  name: xc
  namespace: hello

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: xc-role
  # "namespace" 被忽略,因为 ClusterRoles 不受名字空间限制
rules:
- apiGroups: [""]
  resources: ["nodes", "nodes/metrics", "services", "endpoints", "pods"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: xc-role-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: xc-role
subjects:
- kind: ServiceAccount
  name: xc
  namespace: hello

app-nginx.yaml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
apiVersion: v1
kind: Service
metadata:
  name: nginx-svc
  namespace: hello
  labels:
    app: nginx
spec:
  type: LoadBalancer
  ports:
  - port: 80
  selector:
    app: nginx
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-dc
  namespace: hello  
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      serviceAccountName: xc # 指定部署的ServiceAccount
      containers:
      - name: nginx
        image: nginx:1.21.6-alpine
        ports:
        - containerPort: 80

参考文档

为 Pod 配置服务账户

鉴权概述