kubernetes Service Accounts for Pods-蒲公英云

kubernetes Service Accounts for Pods

向右看齐 2022-05-26 01:25 270阅读 0赞

service account 顾名思义就是服务账号
kubectl的user accounts 一般情况下是 admin，除非k8s管理员已修改否则，默认就是admin,service account默认是default

使用default服务帐户访问API服务器
如果你创建pod未指定service account时，自动默认service account就是default
通过kubectl get pod podName -n namespace可以查看spec.serviceAccountName的值

在版本1.6+中，您可以通过在服务帐户上设置automountServiceAccountToken：false来退出服务帐户的自动挂载API凭证：

apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-robot
automountServiceAccountToken: false//设置false
...

在版本1.6+中，您还可以选择禁用某个自动安装API凭据：

apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  serviceAccountName: build-robot
  automountServiceAccountToken: false
  ...

使用多个服务帐户
k8s默认创建serviceAccounts为default

[root@master-02 ~]# kubectl get serviceAccounts
NAME      SECRETS   AGE
default   1         1d

创建自己的service account:

$ cat > /tmp/serviceaccount.yaml <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-robot
EOF
$ kubectl create -f /tmp/serviceaccount.yaml
serviceaccount "build-robot" created
[root@master-02 ~]# kubectl get serviceAccounts
NAME          SECRETS   AGE
build-robot   1         5s
default       1         1d
[root@master-02 ~]# kubectl get serviceAccounts build-robot -oyaml
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: 2018-04-22T11:05:46Z
  name: build-robot
  namespace: default
  resourceVersion: "108742"
  selfLink: /api/v1/namespaces/default/serviceaccounts/build-robot
  uid: 1b7049cd-461d-11e8-917b-080027587c6b
secrets:
- name: build-robot-token-ktqfb

删除service account

[root@master-02 ~]# kubectl delete serviceaccount/build-robot
serviceaccount "build-robot" deleted

手动创建service account API令牌

$ kubectl create -f /tmp/serviceaccount.yaml
cat > /tmp/build-robot-secret.yaml <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: build-robot-secret
  annotations:
    kubernetes.io/service-account.name: build-robot
type: kubernetes.io/service-account-token
EOF
[root@master-02 ~]# kubectl create -f /tmp/build-robot-secret.yaml
secret "build-robot-secret" created
[root@master-02 ~]# kubectl get secret
NAME                      TYPE                                  DATA      AGE
build-robot-secret        kubernetes.io/service-account-token   3         36s
build-robot-token-h257n   kubernetes.io/service-account-token   3         6m
default-token-9dbnz       kubernetes.io/service-account-token   3         1d
[root@master-02 ~]# kubectl describe secrets/build-robot-secret
Name:         build-robot-secret
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name=build-robot
              kubernetes.io/service-account.uid=89ff446a-461e-11e8-917b-080027587c6b
Type:  kubernetes.io/service-account-token
Data
====
ca.crt:     1363 bytes
namespace:  7 bytes
token:      eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImJ1aWxkLXJvYm90LXNlY3JldCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJidWlsZC1yb2JvdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6Ijg5ZmY0NDZhLTQ2MWUtMTFlOC05MTdiLTA4MDAyNzU4N2M2YiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmJ1aWxkLXJvYm90In0.pbGFgMQSUoJkaLza08vk3RzKPD6cC2rSFPTbikiw-CCHF96_nHfUHmQRaLv217TRw_uZQWcX5J8wpK3ckTYZYAeF2ePUBv2XR21B9BNXCzF-hTRz6_Rayok3LqMoHeuuQ7v6j_DjbDXfJqo29D6ry5HgA5rVJldCJQ9VreGpHIYwrVcVbqep_xfVvJtqjJAh93tPNImU3vhTSLFMyuhuNIz8xlFrO5LnondmcLWus3FFoVCot5WkzG7qAIBB8zStTNkSfVclQW1z8Opu9tkji0XIz7C4BKgbd90boNsjbbCXDxGvcHWeNkQ1dP1BY7Ah_55iKxTpuIpfKhyV0pZt4w