KUBERNETES-1-14-基于角色认证RBAC
1.kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run测试创建角色。kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml将测试输出为yaml格式。
[root@master ~]# kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run
role.rbac.authorization.k8s.io/pods-reader created (dry run)
[root@master ~]# kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
name: pods-reader
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
2.kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml > manifests/role-demo.yaml 测试输出到文件。vim role-demo.yaml 编辑文件。cat role-demo.yaml查看文件。
[root@master ~]# kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml > manifests/role-demo.yaml
[root@master ~]# cd manifests/
[root@master manifests]# vim role-demo.yaml
[root@master manifests]# cat role-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pods-reader
namespace: default
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
3.kubectl apply -f role-demo.yaml 声明资源。kubectl get role -o wide获取角色资源信息。kubectl describe role pods-reader获取角色资源详细信息。
[root@master manifests]# kubectl apply -f role-demo.yaml
role.rbac.authorization.k8s.io/pods-reader created
[root@master manifests]# kubectl get role -o wide
NAME AGE
pods-reader 14s
[root@master manifests]# kubectl describe role pods-reader
Name: pods-reader
Labels:
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"pods-reader","namespace":"default"},"rules":[{"apiGroup...
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
pods [] [] [get list watch]
4.kubectl create rolebinding student-read-pods --role=pods-reader --user=student创建角色绑定。kubectl create rolebinding student-read-pods --role=pods-reader --user=student --dry-run -o yaml > rolebinding-demo.yaml输出到文件。kubectl describe rolebinding student-read-pods获取角色绑定详细信息。
[root@master manifests]# kubectl create rolebinding student-read-pods --role=pods-reader --user=student
rolebinding.rbac.authorization.k8s.io/student-read-pods created
[root@master manifests]# kubectl create rolebinding student-read-pods --role=pods-reader --user=student --dry-run -o yaml > rolebinding-demo.yaml
[root@master manifests]# kubectl describe rolebinding student-read-pods
Name: student-read-pods
Labels:
Annotations:
Role:
Kind: Role
Name: pods-reader
Subjects:
Kind Name Namespace
---- ---- ---------
User student
5.kubectl config use-context student@kubernetes变换上下文。kubectl get pods -o wide获取Pod资源信息。kubectl get pods -n kube-system获取其他空间的Pod资源信息失败(角色授权仅限于当前空间)。
[root@master manifests]# kubectl config use-context student@kubernetes
Switched to context "student@kubernetes".
[root@master manifests]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE
myapp-deploy-67f6f6b4dc-7t9ph 1/1 Running 0 2h 10.244.2.105 node2.example.com
myapp-deploy-67f6f6b4dc-qmznr 1/1 Running 0 2h 10.244.1.17 node1.example.com
myapp-deploy-67f6f6b4dc-sbmhc 1/1 Running 0 2h 10.244.2.104 node2.example.com
pod-sa-demo 1/1 Running 0 2h 10.244.1.18 node1.example.com
[root@master manifests]# kubectl get pods -n kube-system
No resources found.
Error from server (Forbidden): pods is forbidden: User "student" cannot list pods in the namespace "kube-system"
[root@master manifests]# kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods -o yaml --dry-run
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: cluster-reader
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
6.kubectl config use-context kubernetes-admin@kubernetes变换上下文。kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods -o yaml --dry-run测试创建集群角色绑定。kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods -o yaml --dry-run > clusterrole-demo.yaml输出到文件。
[root@master manifests]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
[root@master manifests]# kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods -o yaml --dry-run
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: cluster-reader
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
[root@master manifests]# kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods -o yaml --dry-run > clusterrole-demo.yaml
7.vim clusterrole-demo.yaml编辑文件。cat clusterrole-demo.yaml查看文件。kubectl apply -f clusterrole-demo.yaml声明资源。kubectl delete rolebinding student-read-pods删除之前的资源。
[root@master manifests]# vim clusterrole-demo.yaml
[root@master manifests]# cat clusterrole-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-reader
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
[root@master manifests]# kubectl apply -f clusterrole-demo.yaml
clusterrole.rbac.authorization.k8s.io/cluster-reader created
[root@master manifests]# kubectl delete rolebinding student-read-pods
rolebinding.rbac.authorization.k8s.io "student-read-pods" deleted
8.useradd ik8s创建用户。cp -rp .kube/ /home/ik8s/复制认证信息。 chown -R ik8s.ik8s /home/ik8s/修改所有者。kubectl config use-context student@kubernetes修改上下文。kubectl config view查看配置信息。kubectl get pods获取pod资源失败(因为授权相关的rolebinding资源已经删除)。
[root@master ~]# useradd ik8s
[root@master ~]# cp -rp .kube/ /home/ik8s/
[root@master ~]# chown -R ik8s.ik8s /home/ik8s/
[root@master ~]# su - ik8s
[ik8s@master ~]$ kubectl config use-context student@kubernetes
Switched to context "student@kubernetes".
[ik8s@master ~]$ kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://172.20.0.128:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
- context:
cluster: kubernetes
user: student
name: student@kubernetes
current-context: student@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: student
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[ik8s@master ~]$ kubectl get pods
No resources found.
Error from server (Forbidden): pods is forbidden: User "student" cannot list pods in the namespace "default"
9. kubectl create clusterrolebinding student-read-all-pods --clusterrole=cluser-reader --user=student --dry-run -o yaml测试clusterrolebinding输出为yaml格式。kubectl get clusterrole获取clusterrole信息。
[root@master manifests]# kubectl create clusterrolebinding student-read-all-pods --clusterrole=cluser-reader --user=student --dry-run -o yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: student-read-all-pods
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluser-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: student
[root@master manifests]# kubectl get clusterrole
NAME AGE
admin 4d
cluster-admin 4d
cluster-reader 10m
edit 4d
flannel 3d
system:aggregate-to-admin 4d
system:aggregate-to-edit 4d
system:aggregate-to-view 4d
system:auth-delegator 4d
system:aws-cloud-provider 4d
system:basic-user 4d
system:certificates.k8s.io:certificatesigningrequests:nodeclient 4d
system:certificates.k8s.io:certificatesigningrequests:selfnodeclient 4d
system:controller:attachdetach-controller 4d
system:controller:certificate-controller 4d
system:controller:clusterrole-aggregation-controller 4d
system:controller:cronjob-controller 4d
system:controller:daemon-set-controller 4d
system:controller:deployment-controller 4d
system:controller:disruption-controller 4d
system:controller:endpoint-controller 4d
system:controller:expand-controller 4d
system:controller:generic-garbage-collector 4d
system:controller:horizontal-pod-autoscaler 4d
system:controller:job-controller 4d
system:controller:namespace-controller 4d
system:controller:node-controller 4d
system:controller:persistent-volume-binder 4d
system:controller:pod-garbage-collector 4d
system:controller:pv-protection-controller 4d
system:controller:pvc-protection-controller 4d
system:controller:replicaset-controller 4d
system:controller:replication-controller 4d
system:controller:resourcequota-controller 4d
system:controller:route-controller 4d
system:controller:service-account-controller 4d
system:controller:service-controller 4d
system:controller:statefulset-controller 4d
system:controller:ttl-controller 4d
system:coredns 4d
system:csi-external-attacher 4d
system:csi-external-provisioner 4d
system:discovery 4d
system:heapster 4d
system:kube-aggregator 4d
system:kube-controller-manager 4d
system:kube-dns 4d
system:kube-scheduler 4d
system:kubelet-api-admin 4d
system:node 4d
system:node-bootstrapper 4d
system:node-problem-detector 4d
system:node-proxier 4d
system:persistent-volume-provisioner 4d
system:volume-scheduler 4d
view
10.kubectl create clusterrolebinding student-read-all-pods --clusterrole=cluser-reader --user=student --dry-run -o yaml > clusterrolebinding-demo.yaml输出为文件。 vim clusterrolebinding-demo.yaml编辑文件。cat clusterrolebinding-demo.yaml 查看文件。
[root@master manifests]# kubectl create clusterrolebinding student-read-all-pods --clusterrole=cluser-reader --user=student --dry-run -o yaml > clusterrolebinding-demo.yaml
[root@master manifests]# vim clusterrolebinding-demo.yaml
[root@master manifests]# cat clusterrolebinding-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: student-read-all-pods
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: student
11.kubectl apply -f clusterrolebinding-demo.yaml 声明资源。kubectl get clusterrolebinding | grep student获取新增的clusterrolebinding资源信息。kubectl describe clusterrolebinding student-read-all-pods查看资源详细信息。
[root@master manifests]# kubectl apply -f clusterrolebinding-demo.yaml
clusterrolebinding.rbac.authorization.k8s.io/student-read-all-pods created
[root@master manifests]# kubectl get clusterrolebinding | grep student
student-read-all-pods
[root@master manifests]# kubectl describe clusterrolebinding student-read-all-pods
Name: student-read-all-pods
Labels:
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1beta1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"student-read-all-pods","namespace":"...
Role:
Kind: ClusterRole
Name: cluser-reader
Subjects:
Kind Name Namespace
---- ---- ---------
User student
12.kubectl get pod获取pod资源。kubectl get pods -n kube-system获取其他空间资源。 kubectl delete pods myapp-deploy-67f6f6b4dc-qmznr删除资源失败(因为只授权查询)。
[ik8s@master ~]$ kubectl get pods
NAME READY STATUS RESTARTS AGE
myapp-deploy-67f6f6b4dc-7t9ph 1/1 Running 0 3h
myapp-deploy-67f6f6b4dc-ftm2w 1/1 Running 0 8m
myapp-deploy-67f6f6b4dc-qmznr 1/1 Running 0 3h
pod-sa-demo 1/1 Running 0 2h
[ik8s@master ~]$ kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-78fcdf6894-p2rb6 1/1 Running 4 4d
coredns-78fcdf6894-pcb99 1/1 Running 3 4d
etcd-master.example.com 1/1 Running 6 4d
kube-apiserver-master.example.com 1/1 Running 4 4d
kube-controller-manager-master.example.com 1/1 Running 6 4d
kube-flannel-ds-amd64-9lwsn 1/1 Running 3 4d
kube-flannel-ds-amd64-h96pj 1/1 Running 3 4d
kube-flannel-ds-amd64-jwhmr 1/1 Running 3 4d
kube-proxy-56hs9 1/1 Running 3 4d
kube-proxy-r4j2h 1/1 Running 6 4d
kube-proxy-t985x 1/1 Running 4 4d
kube-scheduler-master.example.com 1/1 Running 6 4d
[ik8s@master ~]$ kubectl delete pods myapp-deploy-67f6f6b4dc-qmznr
Error from server (Forbidden): pods "myapp-deploy-67f6f6b4dc-qmznr" is forbidden: User "student" cannot delete pods in the namespace "default"
13.kubectl delete -f clusterrolebinding-demo.yaml 删除资源。 kubectl create rolebinding student-read-pods --clusterrole=cluster-reader --user=student --dry-run -o yaml测试并输出为yaml格式。kubectl create rolebinding student-read-pods --clusterrole=cluster-reader --user=student --dry-run -o yaml > rolebinding-clusterrole-demo.yaml输出为文件。vim rolebinding-clusterrole-demo.yaml编辑文件(注意这里的default空间)。cat rolebinding-clusterrole-demo.yaml查看文件。
[root@master manifests]# kubectl delete -f clusterrolebinding-demo.yaml
clusterrolebinding.rbac.authorization.k8s.io "student-read-all-pods" deleted
[root@master manifests]# kubectl create rolebinding student-read-pods --clusterrole=cluster-reader --user=student --dry-run -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: null
name: student-read-pods
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: student
[root@master manifests]# kubectl create rolebinding student-read-pods --clusterrole=cluster-reader --user=student --dry-run -o yaml > rolebinding-clusterrole-demo.yaml
[root@master manifests]# vim rolebinding-clusterrole-demo.yaml
[root@master manifests]# cat rolebinding-clusterrole-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: student-read-pods
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: student
14.kubectl apply -f rolebinding-clusterrole-demo.yaml声明资源。kubectl describe rolebinding student-read-pods获取资源详细信息。
[root@master manifests]# kubectl apply -f rolebinding-clusterrole-demo.yaml
rolebinding.rbac.authorization.k8s.io/student-read-pods created
[root@master manifests]# kubectl describe rolebinding student-read-pods
Name: student-read-pods
Labels:
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"student-read-pods","namespace":"default"},"roleR...
Role:
Kind: ClusterRole
Name: cluster-reader
Subjects:
Kind Name Namespace
---- ---- ---------
User student
15. kubectl get pods获取资源。kubectl get pods -n kube-system获取其他名称空间资源失败(因为仅授权default空间)。
[ik8s@master ~]$ kubectl get pods
NAME READY STATUS RESTARTS AGE
myapp-deploy-67f6f6b4dc-7t9ph 1/1 Running 0 3h
myapp-deploy-67f6f6b4dc-ftm2w 1/1 Running 0 17m
myapp-deploy-67f6f6b4dc-qmznr 1/1 Running 0 3h
pod-sa-demo 1/1 Running 0 3h
[ik8s@master ~]$ kubectl get pods -n kube-system
No resources found.
Error from server (Forbidden): pods is forbidden: User "student" cannot list pods in the namespace "kube-system"
16.kubectl get clusterrole admin -o yaml查看管理员信息。kubectl create rolebinding default-ns-admin --clusterrole=admin --user=student创建rolebinding。
[root@master manifests]# kubectl get clusterrole admin -o yaml
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: 2018-12-13T14:05:25Z
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: admin
resourceVersion: "348"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/admin
uid: 23518343-fee0-11e8-8c03-000c290c9b7a
rules:
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
- services/proxy
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- impersonate
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
- statefulsets/scale
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- ingresses
- networkpolicies
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- authorization.k8s.io
resources:
- localsubjectaccessreviews
verbs:
- create
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
[root@master manifests]# kubectl create rolebinding default-ns-admin --clusterrole=admin --user=student
rolebinding.rbac.authorization.k8s.io/default-ns-admin created
17. kubectl get pods获取pod资源。 kubectl delete pods myapp-deploy-67f6f6b4dc-qmznr删除Pod资源(管理员权限)。kubectl get pods -n kube-system获取其他域名空间资源失败(管理员权限仅限当前空间)。
[ik8s@master ~]$ kubectl get pods
NAME READY STATUS RESTARTS AGE
myapp-deploy-67f6f6b4dc-7t9ph 1/1 Running 0 3h
myapp-deploy-67f6f6b4dc-ftm2w 1/1 Running 0 32m
myapp-deploy-67f6f6b4dc-qmznr 1/1 Running 0 3h
pod-sa-demo 1/1 Running 0 3h
[ik8s@master ~]$ kubectl delete pods myapp-deploy-67f6f6b4dc-qmznr
pod "myapp-deploy-67f6f6b4dc-qmznr" deleted
[ik8s@master ~]$ kubectl get pods -n kube-system
No resources found.
Error from server (Forbidden): pods is forbidden: User "student" cannot list pods in the namespace "kube-system"
18.kubectl get clusterrolebinding cluster-admin -o yaml信息以yaml格式输出(注意:kind: Group中的信息)。kubectl config view查看配置信息。openssl x509 -in apiserver-kubelet-client.crt -text -noout | grep -i subject(可以看到对这个组进行了认证授权)。
[root@master manifests]# kubectl get clusterrolebinding cluster-admin -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: 2018-12-13T14:05:25Z
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: cluster-admin
resourceVersion: "110"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin
uid: 237f9295-fee0-11e8-8c03-000c290c9b7a
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:masters
[root@master manifests]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://172.20.0.128:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
- context:
cluster: kubernetes
user: student
name: student@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: student
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[root@master pki]# openssl x509 -in apiserver-kubelet-client.crt -text -noout | grep -i subject
Subject: O=system:masters, CN=kube-apiserver-kubelet-client
Subject Public Key Info:
19.kubectl get pods -n kube-system获取系统空间的资源信息。kubectl get pods kube-flannel-ds-amd64-jwhmr -o yaml -n kube-system | grep -i serviceaccount可以看到系统是通过serviceaccount并绑定授权去对各种资源进行使用的。
[root@master pki]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-78fcdf6894-p2rb6 1/1 Running 4 4d
coredns-78fcdf6894-pcb99 1/1 Running 3 4d
etcd-master.example.com 1/1 Running 6 4d
kube-apiserver-master.example.com 1/1 Running 4 4d
kube-controller-manager-master.example.com 1/1 Running 6 4d
kube-flannel-ds-amd64-9lwsn 1/1 Running 3 4d
kube-flannel-ds-amd64-h96pj 1/1 Running 3 4d
kube-flannel-ds-amd64-jwhmr 1/1 Running 3 4d
kube-proxy-56hs9 1/1 Running 3 4d
kube-proxy-r4j2h 1/1 Running 6 4d
kube-proxy-t985x 1/1 Running 4 4d
kube-scheduler-master.example.com 1/1 Running 6 4d
[root@master pki]# kubectl get pods kube-flannel-ds-amd64-jwhmr -o yaml -n kube-system | grep -i serviceaccount
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
serviceAccount: flannel
serviceAccountName: flannel