64 lines
2.2 KiB
Markdown
64 lines
2.2 KiB
Markdown
|
# Service Account
|
|||
|
|
|||
|
Service account是为了方便Pod里面的进程调用Kubernetes API或其他外部服务,它不同于User account:
|
|||
|
|
|||
|
- User account是为人设计的,而service account则是为了Pod中的进程;
|
|||
|
- User account是跨namespace的,而service account则是仅局限它所在的namespace;
|
|||
|
- 开启ServiceAccount(默认开启)后,每个namespace都会自动创建一个Service account,并会相应的secret挂载到每一个Pod中
|
|||
|
- 默认ServiceAccount为default,自动关联一个访问kubernetes API的[Secret](Secret.md)
|
|||
|
- 每个Pod在创建后都会自动设置`spec.serviceAccount`为default(除非指定了其他ServiceAccout)
|
|||
|
- 每个container启动后都会挂载对应的token和`ca.crt`到`/var/run/secrets/kubernetes.io/serviceaccount/`
|
|||
|
|
|||
|
当然了,也可以创建更多的Service Account:
|
|||
|
|
|||
|
```
|
|||
|
$ cat > /tmp/serviceaccount.yaml <<EOF
|
|||
|
apiVersion: v1
|
|||
|
kind: ServiceAccount
|
|||
|
metadata:
|
|||
|
name: build-robot
|
|||
|
namespace: default
|
|||
|
EOF
|
|||
|
$ kubectl create -f /tmp/serviceaccount.yaml
|
|||
|
serviceaccounts/build-robot
|
|||
|
```
|
|||
|
|
|||
|
Service Account为服务提供了一种方便的认知机制,但它不关心授权的问题。可以配合[RBAC](https://kubernetes.io/docs/admin/authorization/#a-quick-note-on-service-accounts)来为Service Account鉴权:
|
|||
|
- 配置`--authorization-mode=RBAC`和`--runtime-config=rbac.authorization.k8s.io/v1alpha1`
|
|||
|
- 配置`--authorization-rbac-super-user=admin`
|
|||
|
- 定义Role、ClusterRole、RoleBinding或ClusterRoleBinding
|
|||
|
|
|||
|
比如
|
|||
|
|
|||
|
```yaml
|
|||
|
# This role allows to read pods in the namespace "default"
|
|||
|
kind: Role
|
|||
|
apiVersion: rbac.authorization.k8s.io/v1alpha1
|
|||
|
metadata:
|
|||
|
namespace: default
|
|||
|
name: pod-reader
|
|||
|
rules:
|
|||
|
- apiGroups: [""] # The API group "" indicates the core API Group.
|
|||
|
resources: ["pods"]
|
|||
|
verbs: ["get", "watch", "list"]
|
|||
|
nonResourceURLs: []
|
|||
|
---
|
|||
|
# This role binding allows "default" to read pods in the namespace "default"
|
|||
|
kind: RoleBinding
|
|||
|
apiVersion: rbac.authorization.k8s.io/v1alpha1
|
|||
|
metadata:
|
|||
|
name: read-pods
|
|||
|
namespace: default
|
|||
|
subjects:
|
|||
|
- kind: ServiceAccount # May be "User", "Group" or "ServiceAccount"
|
|||
|
name: default
|
|||
|
roleRef:
|
|||
|
kind: Role
|
|||
|
name: pod-reader
|
|||
|
apiGroup: rbac.authorization.k8s.io
|
|||
|
```
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|