kubernetes Service Accounts for Pods
service account 顾名思义就是服务账号kubectl的user accounts 一般情况下是 admin,除非k8s管理员已修改否则,默认就是admin,service account默认是default使用default服务帐户访问API服务器如果你创建pod未指定service account时,自动默认service account就是default通过ku...
·
service account 顾名思义就是服务账号
kubectl的user accounts 一般情况下是 admin,除非k8s管理员已修改否则,默认就是admin,service account默认是default
使用default服务帐户访问API服务器
如果你创建pod未指定service account时,自动默认service account就是default
通过kubectl get pod podName -n namespace可以查看spec.serviceAccountName的值
在版本1.6+中,您可以通过在服务帐户上设置automountServiceAccountToken:false来退出服务帐户的自动挂载API凭证:
apiVersion: v1
kind: ServiceAccount
metadata:
name: build-robot
automountServiceAccountToken: false//设置false
...在版本1.6+中,您还可以选择禁用某个自动安装API凭据:
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
serviceAccountName: build-robot
automountServiceAccountToken: false
...使用多个服务帐户
k8s默认创建serviceAccounts为default
[root@master-02 ~]# kubectl get serviceAccounts
NAME SECRETS AGE
default 1 1d创建自己的service account:
$ cat > /tmp/serviceaccount.yaml <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: build-robot
EOF
$ kubectl create -f /tmp/serviceaccount.yaml
serviceaccount "build-robot" created[root@master-02 ~]# kubectl get serviceAccounts
NAME SECRETS AGE
build-robot 1 5s
default 1 1d
[root@master-02 ~]# kubectl get serviceAccounts build-robot -oyaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: 2018-04-22T11:05:46Z
name: build-robot
namespace: default
resourceVersion: "108742"
selfLink: /api/v1/namespaces/default/serviceaccounts/build-robot
uid: 1b7049cd-461d-11e8-917b-080027587c6b
secrets:
- name: build-robot-token-ktqfb删除service account
[root@master-02 ~]# kubectl delete serviceaccount/build-robot
serviceaccount "build-robot" deleted手动创建service account API令牌
$ kubectl create -f /tmp/serviceaccount.yaml
cat > /tmp/build-robot-secret.yaml <<EOF
apiVersion: v1
kind: Secret
metadata:
name: build-robot-secret
annotations:
kubernetes.io/service-account.name: build-robot
type: kubernetes.io/service-account-token
EOF
[root@master-02 ~]# kubectl create -f /tmp/build-robot-secret.yaml
secret "build-robot-secret" created[root@master-02 ~]# kubectl get secret
NAME TYPE DATA AGE
build-robot-secret kubernetes.io/service-account-token 3 36s
build-robot-token-h257n kubernetes.io/service-account-token 3 6m
default-token-9dbnz kubernetes.io/service-account-token 3 1d[root@master-02 ~]# kubectl describe secrets/build-robot-secret
Name: build-robot-secret
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name=build-robot
kubernetes.io/service-account.uid=89ff446a-461e-11e8-917b-080027587c6b
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1363 bytes
namespace: 7 bytes
token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImJ1aWxkLXJvYm90LXNlY3JldCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJidWlsZC1yb2JvdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6Ijg5ZmY0NDZhLTQ2MWUtMTFlOC05MTdiLTA4MDAyNzU4N2M2YiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmJ1aWxkLXJvYm90In0.pbGFgMQSUoJkaLza08vk3RzKPD6cC2rSFPTbikiw-CCHF96_nHfUHmQRaLv217TRw_uZQWcX5J8wpK3ckTYZYAeF2ePUBv2XR21B9BNXCzF-hTRz6_Rayok3LqMoHeuuQ7v6j_DjbDXfJqo29D6ry5HgA5rVJldCJQ9VreGpHIYwrVcVbqep_xfVvJtqjJAh93tPNImU3vhTSLFMyuhuNIz8xlFrO5LnondmcLWus3FFoVCot5WkzG7qAIBB8zStTNkSfVclQW1z8Opu9tkji0XIz7C4BKgbd90boNsjbbCXDxGvcHWeNkQ1dP1BY7Ah_55iKxTpuIpfKhyV0pZt4wend 更多信息请参考configure-service-account
K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容
更多推荐
0
0- 0
已为社区贡献9条内容
所有评论(0)