Service Account

  • ServiceAccount 为 Pod 中的进程提供身份信息,用于pod 访问api server。
  • 自动挂载到容器的 /var/run/secrets/kubernetes.io/serviceaccount 目录中。
  • 在认证时,ServiceAccount 的用户名格式为 system:serviceaccount:(NAMESPACE):(SERVICEACCOUNT),并从属于两个 group:system:serviceaccountssystem:serviceaccounts:(NAMESPACE)

开启sa

  • apiserver 启动参数 --admission-control 加上 ServiceAccount
 /hyperkube apiserver 
 --advertise-address=192.168.137.101 --etcd-servers=https://192.168.137.101:2379,https://192.168.137.102:2379,https://192.168.137.103:2379
 --etcd-quorum-read=true
 --etcd-cafile=/etc/ssl/etcd/ssl/ca.pem
 --etcd-certfile=/etc/ssl/etcd/ssl/node-node1.pem
 --etcd-keyfile=/etc/ssl/etcd/ssl/node-node1-key.pem 
 --insecure-bind-address=127.0.0.1 
 --apiserver-count=2 
 --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota 
 --service-cluster-ip-range=10.233.0.0/18 
 --service-node-port-range=30000-32767 
 --client-ca-file=/etc/kubernetes/ssl/ca.pem
 --basic-auth-file=/etc/kubernetes/users/known_users.csv --tls-cert-file=/etc/kubernetes/ssl/apiserver.pem --tls-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem --token-auth-file=/etc/kubernetes/tokens/known_tokens.csv
 --service-account-key-file=/etc/kubernetes/ssl/apiserver-key.pem 
 --secure-port=6443 
 --insecure-port=8080 
 --storage-backend=etcd3 
 --v=2 
 --allow-privileged=true 
 --anonymous-auth=False

查看sa

  • 系统默认给每个 namespace 下面都会创建一个默认的default的sa。
  • 每个sa拥有一个加密的 token,在 secrets 里。
[root@node1 ~]# kubectl get sa --all-namespaces 
NAMESPACE     NAME      SECRETS   AGE
default       default   1         8d
kube-public   default   1         8d
kube-system   coredns   1         23h
kube-system   default   1         8d

[root@node1 ~]# kubectl get sa default -n kube-system -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: 2018-06-06T15:11:35Z
  name: default
  namespace: kube-system
  resourceVersion: "277"
  selfLink: /api/v1/namespaces/kube-system/serviceaccounts/default
  uid: e77b00db-699b-11e8-aac2-080027d04b6c
secrets:
- name: default-token-17rhr

secret 的类型为 kubernetes.io/service-account-token

[root@node1 ~]# kubectl get secret default-token-17rhr -n kube-system -o yaml
apiVersion: v1
data:
  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5ekNDQWQrZ0F3SUJBZ0lKQVArdldaWFZMQ0JxTUEwR0NTcUdTSWIzRFFFQkN3VUFNQkl4RURBT0JnTlYKQkFNTUIydDFZbVV0WTJFd0hoY05NVGd3TmpBMk1UUTBOVFEwV2hjTk5EVXhNREl5TVRRME5UUTBXakFTTVJBdwpEZ1lEVlFRRERBZHJkV0psTFdOaE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCnNFMjBnbkJlQjNuVTF1WTJmR1FKUk96UVlpbXJvN0hFbUlYQVFVaVFiR2VacE5HMWc1MHYyU0RYdlFzS0dMUXIKakJRNVVMd2U2SHhXbEo3NGszQVVpMURLcVBTcEorc3R3TlpIY2xGRWtDbjA3alNPTGxrZjZLUlVkcTlNMHZFTgpreEprRHYrVkxON2dnNzhISVZRMGxkUkh5TWxVcEpTbG9kbkQ5YzVuSG9QWTFKeHo4OE42QWhuTng2RnlnRVVaCkN6QzZXZ202MktPckE1YmNRdGw2eURQbnRTYVV6S3Z6VE94S0tLYXp5cm52cWlDVmdjQzFRRFFKUFRCZFdnNUYKREV0Ukp6RlFtcDJHL3NEcENLOVRqVGZWc0h0R3NyVitUY1VGWWVWM2Eyam9FNC9vSEJINVdoSjRCcC95YUxtNwpuSlpJVmpPNEVmUEtjekhxZmZ6QWt3SURBUUFCbzFBd1RqQWRCZ05WSFE0RUZnUVVHVDNackF2WEFRcStZL2h4CnZTcitGQ3lpMXNNd0h3WURWUjBqQkJnd0ZvQVVHVDNackF2WEFRcStZL2h4dlNyK0ZDeWkxc013REFZRFZSMFQKQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBcG9PbExXL0dnZEtIRUsxSkFyQmtOclRjMlNFLwp2NjFZNWdSZndQdkFMbEwwOHQ1d0hlUjRXMC9BQm9PQUdjL0t5M21OMzFWRmF1cTVZVW8rVFZRdnNsTk5ZZG9ICnUzbVg3a1BlYjIxZkh5WHhubU9tLzdkdTVDcFk5OHBLdnVNaWI5U3Via05nSWpCOVhZN3ZQZFVNQ2M5dnZVaUcKUmVYeGZiczl4UE9FVEJjYTl5a0t3VlVndWtnSTQ3MVViSlRBYzdpbkJjeWJTbWlsT0ppODRrRGdhTzJpc0MvSQp3QVpUVWZiQlZJd0s3MkFmTlhYcWszR2ovMWwzRVRTeXd6VGczc3J2emlYS0NUamFZRDZicWRKZ1gwMkdOeWZFCnprZHVWZEQwKzVtaDhCNEhnVENuemRrQUVQTFJZWVpuVUFMd09VTFRBbExmaHJrRDNoTXJlcUN2T0E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
  namespace: a3ViZS1zeXN0ZW0=
  token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUpyZFdKbExYTjVjM1JsYlNJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZqY21WMExtNWhiV1VpT2lKa1pXWmhkV3gwTFhSdmEyVnVMVEUzY21oeUlpd2lhM1ZpWlhKdVpYUmxjeTVwYnk5elpYSjJhV05sWVdOamIzVnVkQzl6WlhKMmFXTmxMV0ZqWTI5MWJuUXVibUZ0WlNJNkltUmxabUYxYkhRaUxDSnJkV0psY201bGRHVnpMbWx2TDNObGNuWnBZMlZoWTJOdmRXNTBMM05sY25acFkyVXRZV05qYjNWdWRDNTFhV1FpT2lKbE56ZGlNREJrWWkwMk9UbGlMVEV4WlRndFlXRmpNaTB3T0RBd01qZGtNRFJpTm1NaUxDSnpkV0lpT2lKemVYTjBaVzA2YzJWeWRtbGpaV0ZqWTI5MWJuUTZhM1ZpWlMxemVYTjBaVzA2WkdWbVlYVnNkQ0o5Lm1MeGFXN0lBWTgyYjNndUFOUXktbzNDcDBBOHUtZHA3dm5UUXFSejV3T0FiWHhzbUtmeVREV2M2RHdZektsVFduX0oybk9wdG82SFh4RjhKSE00UDJXa0lLZThYN2RUcExjVjRIV2JkdllXRUZOckNwNTV6VEkxbkxzVlJkOHFOSmZnRlNhVHk4QXgycXlJalEyOC1zTUR6WUJWTHA5eERwNkxaVkpoV1VvWXg5Rm5WQ3VVUVNBMkNFUXJzZ1BpWkJMc1N2cWZuMl84R0EtZHVDR2E2bHkwZ19sb3hLLTlCQVVEanl3ZFRNTUtpdFg3dktiSE5fYmVUTFdCZDYtaWh4RGw5QmtpSTJmcng5cEUtYmVkSGszUEM2ZDAzRWh2U1pPaFcxbVo2RmI0LTZpVWVRdVJYZEY3NmhZWWxqVDZTNGh6Q1QtQ2U3cUpEQ1dEbFJER0lvZw==
kind: Secret
metadata:
  annotations:
    kubernetes.io/service-account.name: default
    kubernetes.io/service-account.uid: e77b00db-699b-11e8-aac2-080027d04b6c
  creationTimestamp: 2018-06-06T15:11:35Z
  name: default-token-17rhr
  namespace: kube-system
  resourceVersion: "275"
  selfLink: /api/v1/namespaces/kube-system/secrets/default-token-17rhr
  uid: e780df51-699b-11e8-aac2-080027d04b6c
type: kubernetes.io/service-account-token

当用户在该 namespace 下创建 pod 时,会默认使用这个 sa ,k8s会默认把 sa 挂载到容器内。

[root@node1 ~]# kubectl get pods busybox1 -n kube-system -o yaml
apiVersion: v1
kind: Pod
metadata:
spec:
  containers:
  serviceAccount: default
  serviceAccountName: default
  terminationGracePeriodSeconds: 30
  volumes:
  - name: default-token-17rhr
    secret:
      defaultMode: 420
      secretName: default-token-17rhr

  ...
  volumes:
  - name: default-token-17rhr
    secret:
      defaultMode: 420
      secretName: default-token-17rhr

pod的容器里面可以查询到token和crt

/ # ls -l /var/run/secrets/kubernetes.io/serviceaccount/
total 0
lrwxrwxrwx    1 root     root            13 Jun 15 08:22 ca.crt -> ..data/ca.crt
lrwxrwxrwx    1 root     root            16 Jun 15 08:22 namespace -> ..data/namespace
lrwxrwxrwx    1 root     root            12 Jun 15 08:22 token -> ..data/token

创建sa

创建一个sa,会自动创建一个secret token,被sa引用。

[root@node1 ~]# cat sa-test.yaml 
apiVersion: v1
kind: ServiceAccount
metadata:
  name: sa-test

[root@node1 ~]# kubectl create -f sa-test.yaml 
serviceaccount "sa-test" created

[root@node1 ~]# kubectl get sa/sa-test -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: 2018-06-15T09:29:48Z
  name: sa-test
  namespace: default
  resourceVersion: "345447"
  selfLink: /api/v1/namespaces/default/serviceaccounts/sa-test
  uid: a5b2b982-707e-11e8-ac37-0800277b75c4
secrets:
- name: sa-test-token-xqb7q

[root@node1 ~]# kubectl get secrets
NAME                  TYPE                                  DATA      AGE
default-token-xz2pl   kubernetes.io/service-account-token   3         8d
sa-test-token-xqb7q   kubernetes.io/service-account-token   3         43s

[root@node1 ~]# kubectl get secrets/sa-test-token-xqb7q -o yaml
apiVersion: v1
data:
  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5ekNDQWQrZ0F3SUJBZ0lKQVArdldaWFZMQ0JxTUEwR0NTcUdTSWIzRFFFQkN3VUFNQkl4RURBT0JnTlYKQkFNTUIydDFZbVV0WTJFd0hoY05NVGd3TmpBMk1UUTBOVFEwV2hjTk5EVXhNREl5TVRRME5UUTBXakFTTVJBdwpEZ1lEVlFRRERBZHJkV0psTFdOaE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCnNFMjBnbkJlQjNuVTF1WTJmR1FKUk96UVlpbXJvN0hFbUlYQVFVaVFiR2VacE5HMWc1MHYyU0RYdlFzS0dMUXIKakJRNVVMd2U2SHhXbEo3NGszQVVpMURLcVBTcEorc3R3TlpIY2xGRWtDbjA3alNPTGxrZjZLUlVkcTlNMHZFTgpreEprRHYrVkxON2dnNzhISVZRMGxkUkh5TWxVcEpTbG9kbkQ5YzVuSG9QWTFKeHo4OE42QWhuTng2RnlnRVVaCkN6QzZXZ202MktPckE1YmNRdGw2eURQbnRTYVV6S3Z6VE94S0tLYXp5cm52cWlDVmdjQzFRRFFKUFRCZFdnNUYKREV0Ukp6RlFtcDJHL3NEcENLOVRqVGZWc0h0R3NyVitUY1VGWWVWM2Eyam9FNC9vSEJINVdoSjRCcC95YUxtNwpuSlpJVmpPNEVmUEtjekhxZmZ6QWt3SURBUUFCbzFBd1RqQWRCZ05WSFE0RUZnUVVHVDNackF2WEFRcStZL2h4CnZTcitGQ3lpMXNNd0h3WURWUjBqQkJnd0ZvQVVHVDNackF2WEFRcStZL2h4dlNyK0ZDeWkxc013REFZRFZSMFQKQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBcG9PbExXL0dnZEtIRUsxSkFyQmtOclRjMlNFLwp2NjFZNWdSZndQdkFMbEwwOHQ1d0hlUjRXMC9BQm9PQUdjL0t5M21OMzFWRmF1cTVZVW8rVFZRdnNsTk5ZZG9ICnUzbVg3a1BlYjIxZkh5WHhubU9tLzdkdTVDcFk5OHBLdnVNaWI5U3Via05nSWpCOVhZN3ZQZFVNQ2M5dnZVaUcKUmVYeGZiczl4UE9FVEJjYTl5a0t3VlVndWtnSTQ3MVViSlRBYzdpbkJjeWJTbWlsT0ppODRrRGdhTzJpc0MvSQp3QVpUVWZiQlZJd0s3MkFmTlhYcWszR2ovMWwzRVRTeXd6VGczc3J2emlYS0NUamFZRDZicWRKZ1gwMkdOeWZFCnprZHVWZEQwKzVtaDhCNEhnVENuemRrQUVQTFJZWVpuVUFMd09VTFRBbExmaHJrRDNoTXJlcUN2T0E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
  namespace: ZGVmYXVsdA==
  token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWldaaGRXeDBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbk5oTFhSbGMzUXRkRzlyWlc0dGVIRmlOM0VpTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxjblpwWTJVdFlXTmpiM1Z1ZEM1dVlXMWxJam9pYzJFdGRHVnpkQ0lzSW10MVltVnlibVYwWlhNdWFXOHZjMlZ5ZG1salpXRmpZMjkxYm5RdmMyVnlkbWxqWlMxaFkyTnZkVzUwTG5WcFpDSTZJbUUxWWpKaU9UZ3lMVGN3TjJVdE1URmxPQzFoWXpNM0xUQTRNREF5TnpkaU56VmpOQ0lzSW5OMVlpSTZJbk41YzNSbGJUcHpaWEoyYVdObFlXTmpiM1Z1ZERwa1pXWmhkV3gwT25OaExYUmxjM1FpZlEucWVmZVZXT2xnTThKYUZ6eG5IaDJQMUMzSXZ0SU9fSGlmRUVBay1vVVZ0cEcxMFJkQWVfemZndmpyWmVCOTVaTlFlREZrZDd2dVpkbXNDY05mMk1mZzhOV0xsZHo3ZDJwUG5PQ0NaUk9xMklxY1R3dzFwc1RFNnhIdWE5RDlEUE9fTzd6Vkx5Y29qV0xDbUN1Zk9qbHpoSGlvR2M3YzhSZE5rRE9zMXhuSEFPY05DcTFkRTFHLTdhVlFCbmxNdG9pTWt3VWJ5SFR3a3dBakpxNHkwbVNXTlg5NllsSWxCVGE2dExJUkNMSTVDRjE4TUYybUV4LURqUGIybkdxMDQ3dHV0aDdqbk9nWW1yaTZWZ3kybWE2Y2tMZWRvOXNzLXJtQm9QbUt1NmJhcjZiSXR0ZkptR2dvUHAtQjQtNVB2N0RqY19FbHdCeHNrQ25GdHVON2oxX0pR
kind: Secret
metadata:
  annotations:
    kubernetes.io/service-account.name: sa-test
    kubernetes.io/service-account.uid: a5b2b982-707e-11e8-ac37-0800277b75c4
  creationTimestamp: 2018-06-15T09:29:48Z
  name: sa-test-token-xqb7q
  namespace: default
  resourceVersion: "345446"
  selfLink: /api/v1/namespaces/default/secrets/sa-test-token-xqb7q
  uid: a5ec7e4a-707e-11e8-9d66-080027d04b6c
type: kubernetes.io/service-account-token

创建sa 的默认 secret token

[root@node1 ~]# cat sa-test-secret.yaml 
apiVersion: v1
kind: Secret
metadata:
  name: sa-test-secret
  annotations: 
    kubernetes.io/service-account.name: sa-test
type: kubernetes.io/service-account-token
  • podservice account 中可以设置 automountServiceAccountToken来取消自动挂载API凭证,如果都设置了,pod设置的优先级更高。
    apiVersion: v1
    kind: ServiceAccount
    metadata:
    name: build-robot
    automountServiceAccountToken: false
    ...
    
apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  serviceAccountName: build-robot
  automountServiceAccountToken: false
  ...

参考

powered by GitbookUpdated: 2019-01-25 09:24:15

results matching ""

    No results matching ""