20 名词解释 Service Account

Service Account

Service account是为了方便Pod里面的进程调用Kubernetes API或其他外部服务而设计的。它与User account不同

• User account是为人设计的，而service account则是为Pod中的进程调用Kubernetes API而设计；
• User account是跨namespace的 ，而service account则是 仅局限它所在的namespace ；
• 每个namespace都会自动创建一个default service account
• Token controller检测service account的创建，并为它们创建 secret
• 开启ServiceAccount Admission Controller后
  • 每个Pod在创建后都会自动设置spec.serviceAccount为default（除非指定了其他ServiceAccout）
  • 验证Pod引用的service account已经存在，否则拒绝创建
  • 如果Pod没有指定ImagePullSecrets，则把service account的ImagePullSecrets加到Pod中
  • 每个container启动后都会挂载该service account的token和ca.crt到/var/run/secrets/kubernetes.io/serviceaccount/

$ kubectl exec nginx - 3137573019 - md1u2 ls / run / secrets / kubernetes . io / serviceaccount

ca . crt

namespace

token

创建Service Account

$ kubectl create serviceaccount jenkins

serviceaccount "jenkins" created

$ kubectl get serviceaccounts jenkins - o yaml

apiVersion : v1

kind : ServiceAccount

metadata :

creationTimestamp : 2017 - 05 - 27T14 : 32 : 25Z

name : jenkins

namespace : default

resourceVersion : "45559"

selfLink : /api/ v1 / namespaces / default / serviceaccounts / jenkins

uid : 4d66eb4c - 42e9 - 11e7 - 9860 - ee7d8982865f

secrets : - name : jenkins - token - l9v7v

自动创建的secret：

kubectl get secret jenkins - token - l9v7v - o yaml

apiVersion : v1

data :

ca . crt : ( APISERVER CA BASE64 ENCODED )

namespace : ZGVmYXVsdA ==

token : ( BEARER TOKEN BASE64 ENCODED )

kind : Secret

metadata :

annotations :

kubernetes . io / service - account . name : jenkins

kubernetes . io / service - account . uid : 4d66eb4c - 42e9 - 11e7 - 9860 - ee7d8982865f

creationTimestamp : 2017 - 05 - 27T14 : 32 : 25Z

name : jenkins - token - l9v7v

namespace : default

resourceVersion : "45558"

selfLink : /api/ v1 / namespaces / default / secrets / jenkins - token - l9v7v

uid : 4d697992 - 42e9 - 11e7 - 9860 - ee7d8982865f

type : kubernetes . io / service - account - token

添加ImagePullSecrets

apiVersion : v1

kind : ServiceAccount

metadata :

creationTimestamp : 2015 - 08 - 07T22 : 02 : 39Z

name : default

namespace : default

selfLink : /api/ v1 / namespaces / default / serviceaccounts / default

uid : 052fb0f4 - 3d50 - 11e5 - b066 - 42010af0d7b6

secrets : - name : default - token - uudge

imagePullSecrets : - name : myregistrykey

授权

Service Account为服务提供了一种方便的认证机制，但它不关心授权的问题。可以配合 RBAC 来为Service Account鉴权：

• 配置–authorization-mode=RBAC和–runtime-config=rbac.authorization.k8s.io/v1alpha1
• 配置–authorization-rbac-super-user=admin
• 定义Role、ClusterRole、RoleBinding或ClusterRoleBinding

比如

# This role allows to read pods in the namespace "default"

kind: Role

apiVersion: rbac.authorization.k8s.io/v1alpha1

metadata:

namespace: default

name: pod-reader

rules:

- apiGroups : [ "" ] # The API group "" indicates the core API Group.

resources: ["pods"]

verbs : [ "get" , "watch" , "list" ]

nonResourceURLs: []---# This role binding allows "default" to read pods in the namespace "default"

kind: RoleBinding

apiVersion: rbac.authorization.k8s.io/v1alpha1

metadata:

name: read-pods

namespace: default

subjects:

- kind : ServiceAccount # May be "User", "Group" or "ServiceAccount"

name: default

roleRef:

kind: Role

name: pod-reader

apiGroup: rbac.authorization.k8s.io