- Service account作用
Service account是为了方便Pod里面的进程调用Kubernetes API或其他外部服务。 - Service account使用场景
运行在pod里的进程需要调用Kubernetes API以及非Kubernetes API的其它服务。Service Account它并不是给kubernetes集群的用户使用的,而是给pod里面的进程使用的,它为pod提供必要的身份认证。 - 与User account区别
(1)User account是为人设计的,而service account则是为了Pod中的进程;
(2)User account是跨namespace的,而service account则是仅局限它所在的namespace; - 实战
#定义namespace:testcat >> test.yaml << EOFapiVersion: v1kind: Namespacemetadata: ???name: test ????labels: ????????name: test#创建namespace:testkubectl create -f ./test.yaml ?#查看命名空间test的sakubectl get sa -n testNAME ?????SECRETS ??AGEdefault ??1 ????????3h##说明:(1)如果kubernetes开启了ServiceAccount(–admission_control=…,ServiceAccount,… )那么会在每个namespace下面都会创建一个默认的default的sa。如上命令查看的default !(2)ServiceAccount默认是开启的。#查看命名空间test生成的defaultkubectl get sa default -o yaml -n testapiVersion: v1kind: ServiceAccountmetadata: ???creationTimestamp: 2018-05-31T06:21:10Z ???name: default ???namespace: test ???resourceVersion: "45560" ???selfLink: /api/v1/namespaces/test/serviceaccounts/default ???uid: cf57c735-649a-11e8-adc5-000c290a7d06secrets:- name: default-token-ccf9m##说明:(1)当用户再该namespace下创建pod的时候都会默认使用这个sa;(2)每个Pod在创建后都会自动设置spec.serviceAccount为default(除非指定了其他ServiceAccout);(3)每个container启动后都会挂载对应的token和ca.crt到/var/run/secrets/kubernetes.io/serviceaccount/。#创建deploycat >> nginx_deploy.yaml << EOFapiVersion: extensions/v1beta1kind: Deploymentmetadata: ???name: nginx-test ???namespace: testspec: ???replicas: 2 ???template: ???????metadata: ???????????labels: ???????????????app: nginx ???????spec: ???????????containers: ???????????- name: nginx ???????????????image: nginx:1.7.9 ???????????????ports: ???????????????- containerPort: 80#查看生成的Podskubectl get po -n testNAME ?????????????????????????READY ????STATUS ???RESTARTS ??AGEnginx-test-75675f5897-7l5bc ??1/1 ??????Running ??0 ?????????1hnginx-test-75675f5897-b7pcn ??1/1 ??????Running ??0 ?????????1h#查看其中一个Pod的详细信息,如:nginx-test-75675f5897-7l5bckubectl describe po nginx-test-75675f5897-7l5bc -n test##其中default-token-ccf9m,请留意!Environment: ???<none>Mounts: ?/var/run/secrets/kubernetes.io/serviceaccount from default-token-ccf9m (ro)Conditions:Type ??????????StatusInitialized ???TrueReady ?????????TruePodScheduled ??TrueVolumes:default-token-ccf9m:Type: ???????Secret (a volume populated by a Secret)SecretName: ?default-token-ccf9m##说明:(1)每个Pod在创建后都会自动设置spec.serviceAccount为default(除非指定了其他ServiceAccout);(2)每个container启动后都会挂载对应的token和ca.crt到/var/run/secrets/kubernetes.io/serviceaccount/。#进入其中一个Pod的容器内,如:nginx-test-75675f5897-7l5bckubectl exec -it nginx-test-75675f5897-7l5bc ?/bin/bash --namespace=test##在容器内执行:ls -l ?/var/run/secrets/kubernetes.io/serviceaccount/lrwxrwxrwx 1 root root 13 May 31 08:15 ca.crt -> ..data/ca.crtlrwxrwxrwx 1 root root 16 May 31 08:15 namespace -> ..data/namespacelrwxrwxrwx 1 root root 12 May 31 08:15 token -> ..data/token##说明:可以看到已将ca.crt 、namespace和token放到容器内了,那么这个容器就可以通过https的请求访问apiserver了。 - 手动创建Service Account
#编辑heapster_test.yaml文件cat >> heapster_test.yaml <<EOFapiVersion: v1kind: ServiceAccountmetadata: ???name: heapster ???namespace: test#创建Service Account:heapsterkubectl create -f heapster_test.yamlserviceaccount "heapster" created#查看Service Account:heapsterkubectl get sa -o yaml -n test##主要内容如下: ???secrets: ???- name: heapster-token-7xrlg - Service Account鉴权
Service Account为服务提供了一种方便的认知机制,但它不关心授权的问题。可以配合RBAC来为Service Account鉴权:(1)配置--authorization-mode=RBAC和--runtime-config=rbac.authorization.k8s.io/v1alpha1(2)配置--authorization-rbac-super-user=admin(3)定义Role、ClusterRole、RoleBinding或ClusterRoleBinding#实战
我们在Kubernetes Dashboard1.8.3部署中,碰到首次登入出现访问权限报错的问题,原因就是ServiceAccount的创建问题。cat >> kube-dashboard-access.yaml << EOFapiVersion: rbac.authorization.k8s.io/v1beta1kind: ClusterRoleBindingmetadata: ?????name: kubernetes-dashboard ?????labels: ?????????k8s-app: kubernetes-dashboardroleRef: ?????apiGroup: rbac.authorization.k8s.io ?????kind: ClusterRole ?????name: cluster-adminsubjects: ???- kind: ServiceAccount ?????name: kubernetes-dashboard ?????namespace: kube-system
kubernetes的Service Account
原文地址:http://blog.51cto.com/wutengfei/2122570