K8S基本操作-41-K8S Service account
Service Account 介紹
服務帳戶 (Service Account) 是一種由 Kubernetes 管理的帳戶類型,主要用於為 Pod 中執行的程序提供身分。它可以讓 Pod 訪問 Kubernetes API 和其他資源,而無需使用密碼或其他敏感資訊。
以下是服務帳戶的一些常見使用場景
-
讓 Pod 訪問 Kubernetes API: Pod 可以使用服務帳戶訪問 Kubernetes API,以執行諸如創建或刪除 Pod 等操作。
-
讓 Pod 訪問外部服務: Pod 可以使用服務帳戶訪問外部服務,例如雲端儲存或資料庫。
-
在 Pod 之間共享權限: 可以使用服務帳戶在 Pod 之間共享權限,而無需將權限硬編碼在 Pod 中。
Default Service Account
在任何一個 Pod 建立時,如果沒有指定,就會採用 Default Service Account 。
顯示 Service Account
kubectl get serviceaccounts
建立一個 Service Account
我們建立一個稱為app-service-account 的 Service Account:
kubectl create serviceaccount app-service-account
對這個 Service account 建立一個登入用的 Token
kubectl create token app-service-account
此時會產生一組 Token:
eyJhbGciOiJSUzI1NiIsImtpZCI6ImJvLWNGcWhheEY2WGc5Y0wyS2c1MnNvQUduTkNobUpuSkJWQkFNSGlrbXcifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiLCJrM3MiXSwiZXhwIjoxNzA3MjkyNDEwLCJpYXQiOjE3MDcyODg4MTAsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0Iiwic2VydmljZWFjY291bnQiOnsibmFtZSI6ImRldiIsInVpZCI6IjIwMzJkZDM0LWZiMjYtNDAxMy04MTQ3LTlkOTk5NzhmM2RjNiJ9fSwibmJmIjoxNzA3Mjg4ODEwLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZXYifQ.ToEjwVhF9O2Av_llVwbwP76Boe4hABEu4q4Kj8l6gkUe9K1d8GjBU7ziQp3YHLUPAFImer9KpMH9eKhAdlvfBT6KIb9KyvgS89yg2LbSxbV5Za5ssf-cKusp3ostCTNcLW6hAAY-7PFI4eOzU1N3JWWSvz_RisTkhtxsGPHw87XdWKrHpmWkzG7YFjQf6ldew1PpijqVePZOzEyeAzilEiihN0GNCClAkJUsidDlTHvh4GVXjin-EltcxKCstibtzcCCIxK2guKe90I2SNkSxZqxDlDkZMEP0XdZYBlUrRL6sC2XC2WbPc7oHe698Wurs1YvwU1nXtOCqV4XD6ofcA
預設 Service Account 的 Token mount 位置
以下檔案儲存著 Token。
/var/run/secrets/kubernetes.io/serviceaccount/token
其中還存在著其他兩個檔案
/run/secrets/kubernetes.io/serviceaccount # ls
ca.crt namespace token
-
ca.crt: CA 憑證
-
namespace: 說明 namespace
除了上述位置以外以下位置也有上述三個檔案
/run/secrets/kubernetes.io/serviceaccount/ca.crt
/run/secrets/kubernetes.io/serviceaccount/namespace
/run/secrets/kubernetes.io/serviceaccount/token
讓 Pod 屬於某個 Service Account
在 spec 欄位中加入 serviceAccountName ,然後寫下 Service account name 即可。
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
containers:
- name: my-container
image: busybox
serviceAccountName: my-service-account
將建立時 Service Account 的 ca.crt, token, namespace 優雅的放入 Secret 中
建立一個 Service account
apiVersion: v1
kind: ServiceAccount
metadata:
name: app-service-account
namespace: default
secrets:
- name: app-service-account-secret
建立一個 Secret
apiVersion: v1
kind: Secret
metadata:
name: app-service-account-secret
namespace: default
labels:
kubernetes.io/legacy-token-last-used: 2022-10-24
kubernetes.io/legacy-token-invalid-since: 2030-10-25
annotations:
kubernetes.io/service-account.name: app-service-account
type: kubernetes.io/service-account-token
這時候這個 Secret 內容為這樣:
apiVersion: v1
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJlRENDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdGMyVnkKZG1WeUxXTmhRREUzTURjeU9EZ3lPRE13SGhjTk1qUXdNakEzTURZME5EUXpXaGNOTXpRd01qQTBNRFkwTkRRegpXakFqTVNFd0h3WURWUVFEREJock0zTXRjMlZ5ZG1WeUxXTmhRREUzTURjeU9EZ3lPRE13V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFTdXEwVUszbU1WQjNWTGt4bTk4U25lWldBSGZCRHQwVUlEKzFTbG9TeG8KaWR0Rm5xbmFQZUcyek5LTll3dGw5dExkZFVFdDZlVzNETVY3dmJzaG11L2NvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVXlOcWdhOUNTekxkcjF5SHJtNnRPCk5MRURsTk13Q2dZSUtvWkl6ajBFQXdJRFNRQXdSZ0loQVAwNzFUUStld0liU0FVdFJzbHpJUWlzK0FydlozeVoKVEZKVS9Jc0lrYS9aQWlFQWlnUmtSMFRRbU1ZV05Eb2dSeksxRWJZdVBwZ1lLUXhBN0ZGR1Nwd1Rydjg9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
namespace: ZGVmYXVsdA==
token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNkltSnZMV05HY1doaGVFWTJXR2M1WTB3eVMyYzFNbk52UVVkdVRrTm9iVXB1U2tKV1FrRk5TR2xyYlhjaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWldaaGRXeDBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbUZ3Y0MxelpYSjJhV05sTFdGalkyOTFiblF0YzJWamNtVjBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpYSjJhV05sTFdGalkyOTFiblF1Ym1GdFpTSTZJbUZ3Y0MxelpYSjJhV05sTFdGalkyOTFiblFpTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxjblpwWTJVdFlXTmpiM1Z1ZEM1MWFXUWlPaUkzWlRFNU9HSmtNQzFqWlRjekxUUTNPREV0WVRNeU5TMDJNek0yTXpjeE9UazVOVFlpTENKemRXSWlPaUp6ZVhOMFpXMDZjMlZ5ZG1salpXRmpZMjkxYm5RNlpHVm1ZWFZzZERwaGNIQXRjMlZ5ZG1salpTMWhZMk52ZFc1MEluMC4xbHdiZlFaUmkycUNQQXcwZWxHY3BtYVRtdS1JNEUtbGdKTVNRUVhPZUtOUUxNaWhydW1INVRyMEdpTFJIV0Y5UFRUTnJydjRGMnV0akZJQy1WS3BMYkJjcTUzMDNFa0hSbklpT01WY2lpZUE5QkVRR1lSVTVHc0pwWlFEQTZEZWFYN0RLMWtnb0IxbHJrY3FVa3V2WUNUcTVWWHJGdDhEY093N0FRTWJmaHNSTEd5UUlDczFZbEVteGI0Rmt0QmZuQXc1T3dEX3YwVUI3a09JX0lkUzBDb1oxSHVZNWhDQllQaVJ0QkZCT3YtdXoxcVFhQWp3bHF4bVd2c3lPNlB4OWprRkZJTWRPbzhxUF95bkZKVnM3QkpETXo5QlZqSGZYWUhuZzRDcVNEWnpLUFRHbzZUUzJCNDJkR2hacEdiLWFzWWt2QlN1eEh4bEdVSGpZMnB6RVE=
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{"kubernetes.io/service-account.name":"app-service-account"},"labels":{"kubernetes.io/legacy-token-invalid-since":"2030-10-25","kubernetes.io/legacy-token-last-used":"2022-10-24"},"name":"app-service-account-secret","namespace":"default"},"type":"kubernetes.io/service-account-token"}
kubernetes.io/service-account.name: app-service-account
kubernetes.io/service-account.uid: 7e198bd0-ce73-4781-a325-633637199956
creationTimestamp: "2024-02-07T07:30:25Z"
labels:
kubernetes.io/legacy-token-invalid-since: "2030-10-25"
kubernetes.io/legacy-token-last-used: "2022-10-24"
name: app-service-account-secret
namespace: default
resourceVersion: "1492"
uid: a4d0a148-f2e7-42d8-95e6-7acb541fb28e
type: kubernetes.io/service-account-token
其中就是 Base64 格式的 ca.crt, token, namespace 了。