初识TKE中K8S的Service Account
原创
Service account是为了方便Pod里面的进程调用Kubernetes API或其他外部服务而设计的。它与User account不同
- User account是为人设计的,而service account则是为Pod中的进程调用Kubernetes API而设计;
- User account是跨namespace的,而service account则是仅局限它所在的namespace;
- 每个namespace都会自动创建一个default service account
- Token controller检测service account的创建,并为它们创建secret
开启ServiceAccount Admission Controller后
- 每个Pod在创建后都会自动设置spec.serviceAccount为default(除非指定了其他ServiceAccout)
- 验证Pod引用的service account已经存在,否则拒绝创建
- 如果Pod没有指定ImagePullSecrets,则把service account的ImagePullSecrets加到Pod中
- 每个container启动后都会挂载该service account的token和ca.crt到/var/run/secrets/kubernetes.io/serviceaccount/ -上面的知识点引用于https://www.kubernetes.org.cn/service-account
首先我们可以来看下默认的的sa(Service Account)有多少,这里除了最底下两个是我在实验过程中新建的,其他都是默认创建的。
[root@VM_0_4_centos ~]# kubectl get sa --all-namespaces
NAMESPACE NAME SECRETS AGE
default default 1 15d
kube-public default 1 15d
kube-system attachdetach-controller 1 15d
kube-system ccs-log-collector 1 12d
kube-system certificate-controller 1 15d
kube-system clusterrole-aggregation-controller 1 15d
kube-system cronjob-controller 1 15d
kube-system daemon-set-controller 1 15d
kube-system default 1 15d
kube-system deployment-controller 1 15d
kube-system disruption-controller 1 15d
kube-system endpoint-controller 1 15d
kube-system generic-garbage-collector 1 15d
kube-system horizontal-pod-autoscaler 1 15d
kube-system job-controller 1 15d
kube-system kube-dns 1 15d
kube-system lb-ingress 1 15d
kube-system namespace-controller 1 15d
kube-system node-controller 1 15d
kube-system persistent-volume-binder 1 15d
kube-system pod-garbage-collector 1 15d
kube-system pv-protection-controller 1 15d
kube-system pvc-protection-controller 1 15d
kube-system replicaset-controller 1 15d
kube-system replication-controller 1 15d
kube-system resourcequota-controller 1 15d
kube-system route-controller 1 15d
kube-system service-account-controller 1 15d
kube-system service-controller 1 15d
kube-system statefulset-controller 1 15d
kube-system ttl-controller 1 15d
malingxin default 1 4h
malingxin malingxin-serviceaccount 1 4h7d如果kubernetes开启了ServiceAccount(–admission_control=…,ServiceAccount,… )那么在每个namespace下都会存在一个default的sa
如下,其中最重要的就是secrets,它是每个sa下面都会拥有的一个加密的token,这个在下面的secret会详细介绍。
[root@VM_0_4_centos kubernetes]# kubectl get sa default -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: 2018-07-30T07:02:59Z
name: default
namespace: default
resourceVersion: "32098076583"
selfLink: /api/v1/namespaces/default/serviceaccounts/default
uid: 97937601-93c6-11e8-984e-52540008e6f8
secrets:
- name: default-token-z6bqj让我们来看下secrets的格式,secrets中保存着token和ca
[root@VM_0_4_centos kubernetes]# kubectl get secrets default-token-z6bqj
NAME TYPE DATA AGE
default-token-z6bqj kubernetes.io/service-account-token 3 15d
[root@VM_0_4_centos kubernetes]# kubectl get secrets default-token-z6bqj -o yaml
apiVersion: v1
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUROakNDQWg2Z0F3SUJBZ0lJVVc1b0ZocmR5aEl3RFFZSktvWklodmNOQVFFTEJRQXdPVEVMTUFrR0ExVUUKQmhNQ1EwNHhFekFSQmdOVkJBb1RDblJsYm1ObGJuUjVkVzR4RlRBVEJnTlZCQU1UREdOc2N5MW9OV1JtZDNJMApaekFlRncweE9EQTNNekF3TnpBeU1ETmFGdzB6T0RBM016QXdOekF5TUROYU1Ea3hDekFKQmdOVkJBWVRBa05PCk1STXdFUVlEVlFRS0V3cDBaVzVqWlc1MGVYVnVNUlV3RXdZRFZRUURFd3hqYkhNdGFEVmtabmR5Tkdjd2dnRWkKTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFERTRMSGJnTXpYcDZBYnJMSlY4b2dwaFdDSwpkcXY4dlBMKzVsWHJKUENKR1pmaXRhOVVFUGlsYklkbHZTTmdtMmVkVjVmYTJ2REhzRXVqeTNXSXlERVl0YVZyCjIrb080Y1hYWEc0R29xTkgrcmI0REJmaE9WVXBoN1g0OGl5S2lMVVlFWDdTbkU4S0lUZUJlK3NXbWswUk1BTS8KQkVoTlpua2hLcUJ5aTJ2V1N6MjFmdERQdWJEMi9UbThIN3ZLQzRsL1FISTRLTHNwb1JUUDh4VFFFMm9NRzNZNQorcVl2OXg2dW8zb1RmTHJzK0RleWltNXBlaVJ1WVQrN3g2c1V
RM2JZTncwa1N3d0wwdDIvMnB6RnJXK0pnZEVLCitTVUhhZy9GSk56aXp4SEN3T3VBVGQvRlIvaTZ1RkdVSk1BcG9JY04wNGRIQXA3bG51N3Fyd0ltUjFSWkFnTUIKQUFHalFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWRCZ05WSFNVRUZqQVVCZ2dyQmdFRkJRY0RBZ1lJS3dZQgpCUVVIQXdFd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBTkJna3Foa2
lHOXcwQkFRc0ZBQU9DQVFFQXFxdlJ1SFBmCmNJdTB1aWZBcXpiODNFTy9HYitvOTg4TEdsbE9DdmJmbzRseWhXUmJPejJxL2dyMndFVXVpVEFlN0ZjaVhYdUcKVGdPcXhKU3VMYjJPSEVGNlBqMHZWbkp3UmxDTy9XeEZpQk5uVUNMMUpSMXZNY3dEWENMMTJ4SXRDcFBRVk45cAo0SmNhWU5SaGdWMzNKb2lNVE9SMmJVZUhsSHJpbHlEdUVqSnVWSmdrV
ENQM3BqUmloaCt5ejYvdXpSL0thdFlhCjRNWk9JZ21CeTZqOHVSN3pVbkNxYVNIeUFFK0tXeUQvUFAzV1N0TEtBT1V2OFM5ZEo3Mk1iZVNkUWFGQzhRWDAKa0NScSthdEhLWGJRNGE4WkRlQk53WEc4bHg3T3JabTd2ZHpzckhLNDZCZFFLU3h6TWtnK2k1Yk0rSnVMWUk3MwpubmJnV3dIZldMcitoZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
namespace: ZGVmYXVsdA==
token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1Z6TDNObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSmtaV1poZFd4MElpd2lhM1ZpWlhKdVpYUmxjeTVwYnk5elpYSjJhV05sWVdOamIzVnVkQzl6Wl
dOeVpYUXVibUZ0WlNJNkltUmxabUYxYkhRdGRHOXJaVzR0ZWpaaWNXb2lMQ0pyZFdKbGNtNWxkR1Z6TG1sdkwzTmxjblpwWTJWaFkyTnZkVzUwTDNObGNuWnBZMlV0WVdOamIzVnVkQzV1WVcxbElqb2laR1ZtWVhWc2RDSXNJbXQxWW1WeWJtVjBaWE11YVc4dmMyVnlkbWxqWldGalkyOTFiblF2YzJWeWRtbGpaUzFoWTJOdmRXNTBMblZwWkNJNklqa
zNPVE0zTmpBeExUa3pZell0TVRGbE9DMDVPRFJsTFRVeU5UUXdNREE0WlRabU9DSXNJbk4xWWlJNkluTjVjM1JsYlRwelpYSjJhV05sWVdOamIzVnVkRHBrWldaaGRXeDBPbVJsWm1GMWJIUWlmUS5GSWV0Q2pLRTVteEQ5YXdFbGgybmtkWHBlTEdWSVdxZUtHQnh0X3p2M3FlYmxGRE1YNDdta25UQkFTSDZKakRGbjBkMU1QaEZsS3VGMlUtazNSWkRW
NDByVzVPLTZoaFJnOGUzcjlLQUFmUlJjN2R6UXhfc2J1cnNuOU04NTFHY2hDNGpMZFo1dVdIX0ltZ2lMOUNGdHAzUkYydXd1c18tUUdYZzByZm9kXzY0UWV3a2RXa3hGWno0MnlyWkswSmMyTm1falBkNGVJLU9VNzAyc19wc0VTZFpINTlkcjNKdjduckdYeU9iLWhUZTQ4a0dLNHBGZy1HQTdlZW4yM2Y2Mkd4dGV2Vm9wN0dLVjA0RkZHYnJBMEZIRHh
zd01VeW51N2dSaU9TeVQyWGxYS09OUk9PQ2MxMWhUM3NodWF0OGhpWDJ5bU9jNUE3N3B0aXRyQW9vZVE=
kind: Secret
metadata:
annotations:
kubernetes.io/service-account.name: default
kubernetes.io/service-account.uid: 97937601-93c6-11e8-984e-52540008e6f8 creationTimestamp: 2018-07-30T07:02:59Z name: default-token-z6bqj namespace: default resourceVersion: "32098076576" selfLink: /api/v1/namespaces/default/secrets/default-token-z6bqj uid: 9796744c-93c6-11e8-984e-52540008e6f8
type: kubernetes.io/service-account-token上面的内容是经过加密过后的
当用户再该namespace下创建pod的时候都会默认使用这个sa,下面是get pod 截取的部分,可以看到kubernetes会把默认的sa挂载到容器内。
volumes:
- name: default-token-z6bqj
secret:
defaultMode: 420
secretName: default-token-z6bqj接下来可以进入容器的 ls -l /var/run/secrets/kubernetes.io/serviceaccount/
@nginx-54c86bb7c6-k5cnp:/# ls -l /var/run/secrets/kubernetes.io/serviceaccou
total 0
lrwxrwxrwx 1 root root 13 Aug 15 03:33 ca.crt -> ..data/ca.crt
lrwxrwxrwx 1 root root 16 Aug 15 03:33 namespace -> ..data/namespace
lrwxrwxrwx 1 root root 12 Aug 15 03:33 token -> ..data/token可以看到已将ca.crt 、namespace和token放到容器内了,那么这个容器就可以通过https的请求访问apiserver了。
创建一个简单sa
cat > serviceaccount.yaml <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: malingxin-serviceaccount
namespace: malingxin-serviceaccount
EOF原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
评论
登录后参与评论
推荐阅读