Service account for Kubernetes

Source: Internet
Author: User
Tags k8s

Service account for Kubernetes

  1. Service Account Role
    The service account is designed to facilitate the process within the pod to invoke the Kubernetes API or other external services.
  2. Service Account Usage Scenarios
    Processes running in the pod need to invoke the Kubernetes API and other services of the non-Kubernetes API. Service account It is not intended for use by users of the Kubernetes cluster, but for processes inside the pod, which provides the necessary authentication for the pod.
  3. Difference from user account
    (1) The User account is designed and the service account is for the process in the pod;
    (2) The User account is a cross-namespace, and the service account is limited to the namespace it resides in;
  4. Actual combat
    #定义namespace:testcat >> test.yaml << EOFapiVersion: v1kind: Namespacemetadata:    name: test     labels:         name: test
    #创建namespace:testkubectl create -f ./test.yaml  
    #查看命名空间test的sakubectl get sa -n testNAME      SECRETS   AGEdefault   1         3h##说明:(1)如果kubernetes开启了ServiceAccount(–admission_control=…,ServiceAccount,… )那么会在每个namespace下面都会创建一个默认的default的sa。如上命令查看的default !(2)ServiceAccount默认是开启的。
    #查看命名空间test生成的defaultkubectl get sa default -o yaml -n testapiVersion: v1kind: ServiceAccountmetadata:    creationTimestamp: 2018-05-31T06:21:10Z    name: default    namespace: test    resourceVersion: "45560"    selfLink: /api/v1/namespaces/test/serviceaccounts/default    uid: cf57c735-649a-11e8-adc5-000c290a7d06secrets:- name: default-token-ccf9m##说明:(1)当用户再该namespace下创建pod的时候都会默认使用这个sa;(2)每个Pod在创建后都会自动设置spec.serviceAccount为default(除非指定了其他ServiceAccout);(3)每个container启动后都会挂载对应的token和ca.crt到/var/run/secrets/kubernetes.io/serviceaccount/。
    #创建deploycat >> nginx_deploy.yaml << EOFapiVersion: extensions/v1beta1kind: Deploymentmetadata:    name: nginx-test    namespace: testspec:    replicas: 2    template:        metadata:            labels:                app: nginx        spec:            containers:            - name: nginx                image: nginx:1.7.9                ports:                - containerPort: 80
    #查看生成的Podskubectl get po -n testNAME                          READY     STATUS    RESTARTS   AGEnginx-test-75675f5897-7l5bc   1/1       Running   0          1hnginx-test-75675f5897-b7pcn   1/1       Running   0          1h
      #查看其中一个Pod的详细信息, such as: Nginx-test-75675f5897-7l5bckubectl describe PO nginx-test-75675f5897-7l5bc-n test## One default-token-ccf9m, please pay attention! Environment: <none>mounts:/var/run/secrets/kubernetes.io/serviceaccount from default-token-ccf9m (RO)         Conditions:type statusinitialized trueready truepodscheduled truevolumes:default-token-ccf9m:type: Secret (a volume populated by a Secret) secretname:default-token-ccf9m# #说明: (1) Each pod is automatically set to Spec.serviceaccount after it is created Default (unless other serviceaccout are specified), (2) each container will mount the corresponding token and CA.CRT to/var/run/secrets/kubernetes.io/ serviceaccount/. 
    #进入其中一个Pod的容器内,如:nginx-test-75675f5897-7l5bckubectl exec -it nginx-test-75675f5897-7l5bc  /bin/bash --namespace=test##在容器内执行:ls -l  /var/run/secrets/kubernetes.io/serviceaccount/lrwxrwxrwx 1 root root 13 May 31 08:15 ca.crt -> ..data/ca.crtlrwxrwxrwx 1 root root 16 May 31 08:15 namespace -> ..data/namespacelrwxrwxrwx 1 root root 12 May 31 08:15 token -> ..data/token##说明:可以看到已将ca.crt 、namespace和token放到容器内了,那么这个容器就可以通过https的请求访问apiserver了。
  5. Create service account manually
    #编辑heapster_test.yaml文件cat >> heapster_test.yaml <<EOFapiVersion: v1kind: ServiceAccountmetadata:    name: heapster    namespace: test
    #创建Service Account:heapsterkubectl create -f heapster_test.yamlserviceaccount "heapster" created
    #查看Service Account:heapsterkubectl get sa -o yaml -n test##主要内容如下:    secrets:    - name: heapster-token-7xrlg
  6. Service Account Authentication
    Service account provides a convenient cognitive mechanism for services, but it does not care about licensing issues. The service account can be authenticated with RBAC:
    (1)配置--authorization-mode=RBAC和--runtime-config=rbac.authorization.k8s.io/v1alpha1(2)配置--authorization-rbac-super-user=admin(3)定义Role、ClusterRole、RoleBinding或ClusterRoleBinding

    #实战
    In the Kubernetes Dashboard1.8.3 deployment, we encountered an error in access rights when we first logged in, because of the creation of the serviceaccount problem.

    cat >> kube-dashboard-access.yaml << EOFapiVersion: rbac.authorization.k8s.io/v1beta1kind: ClusterRoleBindingmetadata:      name: kubernetes-dashboard      labels:          k8s-app: kubernetes-dashboardroleRef:      apiGroup: rbac.authorization.k8s.io      kind: ClusterRole      name: cluster-adminsubjects:    - kind: ServiceAccount      name: kubernetes-dashboard      namespace: kube-system

Service account for Kubernetes

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.