kubernetes-handbook/concepts/serviceaccount.md

64 lines
2.2 KiB
Markdown
Raw Normal View History

2017-05-14 19:39:33 +08:00
# Service Account
2017-05-14 19:08:56 +08:00
Service account是为了方便Pod里面的进程调用Kubernetes API或其他外部服务它不同于User account
- User account是为人设计的而service account则是为了Pod中的进程
- User account是跨namespace的而service account则是仅局限它所在的namespace
- 开启ServiceAccount默认开启每个namespace都会自动创建一个Service account并会相应的secret挂载到每一个Pod中
- 默认ServiceAccount为default自动关联一个访问kubernetes API的[Secret](Secret.md)
- 每个Pod在创建后都会自动设置`spec.serviceAccount`为default除非指定了其他ServiceAccout
- 每个container启动后都会挂载对应的token和`ca.crt`到`/var/run/secrets/kubernetes.io/serviceaccount/`
当然了也可以创建更多的Service Account
```
$ cat > /tmp/serviceaccount.yaml <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: build-robot
namespace: default
EOF
$ kubectl create -f /tmp/serviceaccount.yaml
serviceaccounts/build-robot
```
Service Account为服务提供了一种方便的认知机制但它不关心授权的问题。可以配合[RBAC](https://kubernetes.io/docs/admin/authorization/#a-quick-note-on-service-accounts)来为Service Account鉴权
- 配置`--authorization-mode=RBAC`和`--runtime-config=rbac.authorization.k8s.io/v1alpha1`
- 配置`--authorization-rbac-super-user=admin`
- 定义Role、ClusterRole、RoleBinding或ClusterRoleBinding
比如
```yaml
# This role allows to read pods in the namespace "default"
kind: Role
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""] # The API group "" indicates the core API Group.
resources: ["pods"]
verbs: ["get", "watch", "list"]
nonResourceURLs: []
---
# This role binding allows "default" to read pods in the namespace "default"
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
name: read-pods
namespace: default
subjects:
- kind: ServiceAccount # May be "User", "Group" or "ServiceAccount"
name: default
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
```