Actual combat#定义namespace:testcat >> test.yaml << EOFapiVersion: v1kind: Namespacemetadata: name: test labels: name: test
#创建namespace:testkubectl create -f ./test.yaml
#查看命名空间test的sakubectl get sa -n testNAME SECRETS AGEdefault 1 3h##说明:(1)如果kubernetes开启了ServiceAccount(–admission_control=…,ServiceAccount,… )那么会在每个namespace下面都会创建一个默认的default的sa。如上命令查看的default !(2)ServiceAccount默认是开启的。
#查看命名空间test生成的defaultkubectl get sa default -o yaml -n testapiVersion: v1kind: ServiceAccountmetadata: creationTimestamp: 2018-05-31T06:21:10Z name: default namespace: test resourceVersion: "45560" selfLink: /api/v1/namespaces/test/serviceaccounts/default uid: cf57c735-649a-11e8-adc5-000c290a7d06secrets:- name: default-token-ccf9m##说明:(1)当用户再该namespace下创建pod的时候都会默认使用这个sa;(2)每个Pod在创建后都会自动设置spec.serviceAccount为default(除非指定了其他ServiceAccout);(3)每个container启动后都会挂载对应的token和ca.crt到/var/run/secrets/kubernetes.io/serviceaccount/。
#创建deploycat >> nginx_deploy.yaml << EOFapiVersion: extensions/v1beta1kind: Deploymentmetadata: name: nginx-test namespace: testspec: replicas: 2 template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.7.9 ports: - containerPort: 80
#查看生成的Podskubectl get po -n testNAME READY STATUS RESTARTS AGEnginx-test-75675f5897-7l5bc 1/1 Running 0 1hnginx-test-75675f5897-b7pcn 1/1 Running 0 1h
#查看其中一个Pod的详细信息, such as: Nginx-test-75675f5897-7l5bckubectl describe PO nginx-test-75675f5897-7l5bc-n test## One default-token-ccf9m, please pay attention! Environment: <none>mounts:/var/run/secrets/kubernetes.io/serviceaccount from default-token-ccf9m (RO) Conditions:type statusinitialized trueready truepodscheduled truevolumes:default-token-ccf9m:type: Secret (a volume populated by a Secret) secretname:default-token-ccf9m# #说明: (1) Each pod is automatically set to Spec.serviceaccount after it is created Default (unless other serviceaccout are specified), (2) each container will mount the corresponding token and CA.CRT to/var/run/secrets/kubernetes.io/ serviceaccount/.
#进入其中一个Pod的容器内,如:nginx-test-75675f5897-7l5bckubectl exec -it nginx-test-75675f5897-7l5bc /bin/bash --namespace=test##在容器内执行:ls -l /var/run/secrets/kubernetes.io/serviceaccount/lrwxrwxrwx 1 root root 13 May 31 08:15 ca.crt -> ..data/ca.crtlrwxrwxrwx 1 root root 16 May 31 08:15 namespace -> ..data/namespacelrwxrwxrwx 1 root root 12 May 31 08:15 token -> ..data/token##说明:可以看到已将ca.crt 、namespace和token放到容器内了,那么这个容器就可以通过https的请求访问apiserver了。
Service Account Authentication
Service account provides a convenient cognitive mechanism for services, but it does not care about licensing issues. The service account can be authenticated with RBAC:(1)配置--authorization-mode=RBAC和--runtime-config=rbac.authorization.k8s.io/v1alpha1(2)配置--authorization-rbac-super-user=admin(3)定义Role、ClusterRole、RoleBinding或ClusterRoleBinding
#实战
In the Kubernetes Dashboard1.8.3 deployment, we encountered an error in access rights when we first logged in, because of the creation of the serviceaccount problem.
cat >> kube-dashboard-access.yaml << EOFapiVersion: rbac.authorization.k8s.io/v1beta1kind: ClusterRoleBindingmetadata: name: kubernetes-dashboard labels: k8s-app: kubernetes-dashboardroleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-adminsubjects: - kind: ServiceAccount name: kubernetes-dashboard namespace: kube-system