ServiceAccount资源清单格式

1
2
3
4
5
6
7
8
9
10
11
12
13
14
apiVersion: v1  # ServiceAccount所属的API群组及版本
kind: ServiceAccount  # 资源类型标识
metadata:
  name <string>  # 资源名称
  namespace <string>  # ServiceAccount是名称空间级别的资源
automountServiceAccountToken <boolean>  # 是否让Pod自动挂载API令牌
secrets <[]Object>   # 以该SA运行的Pod所要使用的Secret对象组成的列表
  apiVersion <string>  # 引用的Secret对象所属的API群组及版本,可省略
  kind <string>  # 引用的资源的类型,这里是指Secret,可省略
  name <string>  # 引用的Secret对象的名称,通常仅给出该字段即可
  namespace <string>  # 引用的Secret对象所属的名称空间
  uid  <string>  # 引用的Secret对象的标识符;
imagePullSecrets <[]Object> # 引用的用于下载Pod中容器镜像的Secret对象列表
  name <string>  # docker-registry类型的Secret资源的名称

ServiceAccount令牌认证

正常情况下k8s所创建的每一个Pod注入一个ServiceAccount令牌

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
root@k8s-master01:~# kubectl describe pod demodb-0
......
Containers:
  demodb-shard:
    Container ID:   docker://b7506f7a44abb86d008c8ddb38ccda4b8a11c25b5e7720877ec1694a9abc0f54
    Image:          ikubernetes/demodb:v0.1
    Image ID:       docker-pullable://ikubernetes/demodb@sha256:78edffb2083001b056f85202ca8049bb1e5ecb47b601725aadb5723a96e21b7b
    Port:           9907/TCP
    Host Port:      0/TCP
    State:          Running
      Started:      Tue, 27 Jul 2021 01:31:48 +0000
    Ready:          True
    Restart Count:  0
    Liveness:       http-get http://:db/status delay=2s timeout=1s period=10s #success=1 #failure=3
    Readiness:      http-get http://:db/status%3Flevel=full delay=15s timeout=1s period=30s #success=1 #failure=3
    Environment:
      DEMODB_DATADIR:  /demodb/data
    Mounts:
      /demodb/data from data (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-zxl6g (ro)  # 此为pod挂载的SA信息
.......

在每个名称空间中,会自动存在(由ServiceAccount准入控制器负责)一个ServiceAccount,将被该空间下的每个Pod共享使用。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# 查看默认名称空间下的SA
root@k8s-master01:~# kubectl get sa
NAME      SECRETS   AGE
default   1         13d     # 名称为default

root@k8s-master01:~# kubectl describe sa default
Name:                default
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   default-token-n6t9r
Tokens:              default-token-n6t9r
Events:              <none>

root@k8s-master01:~# kubectl get sa default -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: "2021-07-15T06:14:15Z"
  name: default
  namespace: default
  resourceVersion: "410"
  uid: c7ab687e-a63f-45b9-856d-e5038a5c1183
secrets:
- name: default-token-n6t9r

认证令牌保存于该空间下的一个Secret对象中,该对象中共有三个信息:

  • namespace
  • ca.crt
  • token
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root@k8s-master01:~# kubectl get secrets default-token-n6t9r -o yaml
apiVersion: v1
data:  # ca.crt namespace token信息
  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1EY3hOVEEyTVRNek5Gb1hEVE14TURjeE16QTJNVE16TkZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTnZjCkc0NytMTUUydkxsNzJXNUpWYSt1S2VLY1htWVNFVjVXSmtCSkl4VjBZK0JkRExtb044WWxSWUdVaDVxTmxRRUQKOFhRSzgzOUNOUUl4ZGRSQWc3c1M4Z2I2SWdabGxCRXNobGRGb0JEcjNDUUlzMWxGMEFsVEFyV2RpK0NUbHdZYwpyYTRTREN6ZHVQUDZhdzFHWVBTNE9zOUtsUEpVZHpPMXRkUjdGNVBHVkY3SWpsWE1EMWc3NW1yL2d6NkgrcTVOCkN0S1UraFJ2WGd5QXN1TDY1TFlROUVEMyt1K0lJSE5xQWR4S1lXRkFmZ2tNT3Bqa0V3Z2xRWUUzenhWREdZR0EKdFI5clg5STNQUHF0UkkwWVdqb2EveGtxY1lhUTNRckhzU3ZBTjU5b2FyV3plS2xuMS8wWVdVeEd0cEZtdy92ZQpRMTYzYkVlc21YaDdSMERhMGhzQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZIWmV1cEFHdnZ4c0pkSHl5N3hTVUNoZFNGY1hNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFBTVUySkVrdU1QZ0ltSDlaSzk2OHRsY05HNVRsVFVseFVYRm9Uc1VTSWhyU1pycGhmRApKelBOTE5rcTJxMCtUV3ZTbHZxbzFyM2dLckhNWWZDY1AwTnFIU2VYVWNhaW1WeUhwUm12M3AzODBoTlJONnNyCkJZSmZ4RUE0aWJsWEpvYnNVR0tDcmdZeHk5SFJYbE9ud0QvMHdrTVVBZHFuSG90MlRPbGJZSVU3aUNTNklCajMKaWZLeHlGdkdDTWJ6NFhIY0xjajY4L3AzaC9VRDgxRjNGc2ZqdmV6L1A3Nk42L2hCL090TkhKK3pTWGVmdjJjcQpMUXBxYXA5aW9IUGZTVFpnTm5BUndSWUNaMW9DdmI0WitnbzdkQTROM3M2K3NOTUpYZFFERWkxb1dWeDVKUXgyClgzejNtY1hhZHROTVgwOEN0UHorTlQwZGZGOUNhaDVWMTkzWgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
  namespace: ZGVmYXVsdA==
  token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklqZDRPRTVoTVRWMVZVMHRVRFF6Ums0NVVVd3pOV056VURWc2JUZHBjMnR6TUVaWVJVdHdhMWxmZG1NaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWldaaGRXeDBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbVJsWm1GMWJIUXRkRzlyWlc0dGJqWjBPWElpTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxjblpwWTJVdFlXTmpiM1Z1ZEM1dVlXMWxJam9pWkdWbVlYVnNkQ0lzSW10MVltVnlibVYwWlhNdWFXOHZjMlZ5ZG1salpXRmpZMjkxYm5RdmMyVnlkbWxqWlMxaFkyTnZkVzUwTG5WcFpDSTZJbU0zWVdJMk9EZGxMV0UyTTJZdE5EVmlPUzA0TlRaa0xXVTFNRE00WVRWak1URTRNeUlzSW5OMVlpSTZJbk41YzNSbGJUcHpaWEoyYVdObFlXTmpiM1Z1ZERwa1pXWmhkV3gwT21SbFptRjFiSFFpZlEuR2ZiSzlfRmpHU3EwME03c2tTYjdMWTd4bHlZUEFVS0dmZWl4U0Zqc2tFRnJvck95QkdJY3MxQXo2YmtaZm1ta1BocmVoSW5qVlhsQnU3dmprc0J2c0tlOHVsYWFtbTlXSGdSU2g3MjRTTUYyT0ZLUVFpMzJsTWVxd1piRDF1dGRJaHVHX21RSk82cWg2UVFoMzkzQ0FCRFJzWUR2MXZMUzVuSlpxY211YWFCUlVVVFA5VjY0RUwzcEVwUUlYVy1iY2o5RDQyOXBvakFyMDFkQUFNbUVRN3pqWWt6eEZnM0s1empQSGF2cVpmWlI1dlFjdmxER1d0ZWZmVTBRYXZFaGJsYXM3dTJLb2g5aWhORl80YjRBdjlRZ0Y3UUdORTBkNFh6aTZOUE9ROUtkbGpXTm50dVRYYXNUcU9iQmVSaC1TRm9iVGdnVUo0ejRKekVIUl9aM2hR
kind: Secret
metadata:
  annotations:
    kubernetes.io/service-account.name: default
    kubernetes.io/service-account.uid: c7ab687e-a63f-45b9-856d-e5038a5c1183
  creationTimestamp: "2021-07-15T06:14:15Z"
  name: default-token-n6t9r
  namespace: default
  resourceVersion: "409"
  uid: 011e52ae-a4d2-46eb-9b3a-9a25000be0d9
type: kubernetes.io/service-account-token

如果运行pod时没有指定其SA,那么K8S会使用其名称空间下默认的SA。

如果在运行pod时不想使用默认的SA,也可以自己创建SA让pod获得更大的授权,但是在Pod资源清单中使用时,要指明使用的SA账号。

1
2
3
4
5
6
7
8
9
10
k8s-master01:~# kubectl explain pod.spec.serviceAccountName
KIND:     Pod
VERSION:  v1

FIELD:    serviceAccountName <string>

DESCRIPTION:
     ServiceAccountName is the name of the ServiceAccount to use to run this
     pod. More info:
     https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

创建SA

基于命令创建SA

1.使用命令创建SA

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# 创建一个dev名称空间
root@k8s-master01:~# kubectl create ns dev
namespace/dev created

# 在dev名称空间下创建一个拥有管理员权限的SA
root@k8s-master01:~# kubectl create sa admin -n dev    # 如果不指定名称空间默认创建在default名称空间下
serviceaccount/admin created

# admin的SA创建完毕
root@k8s-master01:~# kubectl get sa -n dev
NAME      SECRETS   AGE
admin     1         17s
default   1         109s

# SA创建完毕默认会创建出认证信息token
root@k8s-master01:~# kubectl get secrets -n dev
NAME                  TYPE                                  DATA   AGE
admin-token-6lrjw     kubernetes.io/service-account-token   3      2m23s
default-token-j5lt6   kubernetes.io/service-account-token   3      3m55s

基于资源清单创建SA

1.创建SA资源清单

1
2
3
4
5
6
7
8
9
10
11
root@k8s-master01:~/yaml/chapter09# vim sa-demo.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ns-admin
  namespace: default                    # ns如果非default,必须写
automountServiceAccountToken: true      # 可有可无

# 以下两个字段可以不指定,SA会自己创建token,如果要自己指定,则需要另外创建secret-token.
# secrets:
# - name: k8sadmin-secret

2.如果SA的资源清单中指定了Secrets,则需要自己创建Secret-token资源清单,(如果未指定此步骤可以省略)

1
2
3
4
5
6
7
8
9
root@k8s-master01:~/yaml/chapter09# vim secret-token.yaml
apiVersion: v1
kind: Secret
metadata:
  name: k8sadmin-secret
  namespace: default
  annotations:
    kubernetes.io/service-account.name: k8sadmin
type: kubernetes.io/service-account-token

其他事项

在Pod的资源清单中有一项名为imagePullSecrets的选项,用来从私有仓库中获取镜像时做认证时使用,我们可以将其在SA中进行配置,无需在pod上配置,这样的好处是,同一pod在挂载SA时默认会挂载其认证到私有仓库的Secret信息。这样就无需再单独对pod中imagePullSecrets进行管理。