k8s serviceaccount简介
serviceaccount
每个命名空间都有一个名为 default
的服务账户资源。 您可以用下面的命令查询这个服务账户以及命名空间中的其他 serviceAccount
资源:
1
2
3
kubectl get serviceAccounts
NAME SECRETS AGE
default 1 1d
创建
您可以像这样来创建额外的 ServiceAccount 对象:
1
2
3
4
5
6
7
kubectl create -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: build-robot
EOF
serviceaccount/build-robot created
查询
如果您查询服务帐户对象的完整信息,如下所示:
1
2
3
4
5
6
7
8
9
10
11
kubectl get serviceaccounts/build-robot -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: 2015-06-16T00:12:59Z
name: build-robot
namespace: default
resourceVersion: "272500"
uid: 721ab723-13bc-11e5-aec2-42010af0021e
secrets:
- name: build-robot-token-bvbk5
那么您就能看到系统已经自动创建了一个令牌并且被服务账户所引用。
您可以使用授权插件来 设置服务账户的访问许可。
要使用非默认的服务账户,只需简单的将 Pod 的 spec.serviceAccountName
字段设置为您想用的服务账户名称。
注意:
- Pod 被创建时服务账户必须存在,否则会被拒绝。
- 您不能更新已经创建好的 Pod 的服务账户。
删除
您可以清除服务账户,如下所示:
1
kubectl delete serviceaccount/build-robot
secret
假设我们有一个上面提到的名为 build-robot
的服务账户,然后我们手动创建一个新的 Secret
。
1
2
3
4
5
6
7
8
9
10
kubectl create -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: build-robot-secret
annotations:
kubernetes.io/service-account.name: build-robot
type: kubernetes.io/service-account-token
EOF
secret/build-robot-secret created
现在,您可以确认新构建的 Secret
中填充了 build-robot
服务帐户的 API 令牌。
令牌控制器将清理不存在的服务帐户的所有令牌。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
kubectl get secrets/default-token-x7jbq -n ns1 -o yaml
apiVersion: v1
data:
ca.crt: {base64 encoding of ca.crt data}
namespace: emVuYXA=
token: {base64 encoding of bearer token}
kind: Secret
metadata:
annotations:
kubernetes.io/service-account.name: default
kubernetes.io/service-account.uid: c1ae63f8-05e5-11ea-be6e-fa163e56fdff
creationTimestamp: "2019-11-13T07:18:14Z"
name: default-token-x7jbq
namespace: ns1
resourceVersion: "4400"
selfLink: /api/v1/namespaces/ns1/secrets/default-token-x7jbq
uid: c1b377cc-05e5-11ea-be6e-fa163e56fdff
type: kubernetes.io/service-account-token
这个类型为 service-account-token
的 secret
资源包含的数据有三部分:ca.crt
、namespace
和token
。
ca.crt
: API Server的CA公钥证书,用于Pod中的Process对API Server的服务端数字证书进行校验时使用的;namespace
: 是Secret所在namespace的值的base64编码:# echo -n “kube-system”|base64 => “emVuYXA=”
token
: 用API Server私钥签发(sign)的bearer tokens
的base64编码,在API Server 认证环节,它将派上用场。
使用serviceaccount
当您创建 Pod 时,如果没有指定服务账户,Pod 会被指定命名空间中的 default
服务账户。 如果您查看 Pod 的原始 json
或 yaml
(例如: kubectl get pods/podname -o yaml
), 您可以看到 spec.serviceAccountName
字段已经被自动设置了。
您可以使用自动挂载给 Pod
的服务账户凭据访问 API,访问集群 中有相关描述。 服务账户的 API 许可取决于您所使用的授权插件和策略。
附录
k8s生成secret
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
kubectl get secrets/default-token-x7jbq -n ns1 -o yaml
apiVersion: v1
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURrakNDQW5vQ0NRQ0h0TmdvV2FmaUh6QU5CZ2txaGtpRzl3MEJBUXNGQURDQmlqRUxNQWtHQTFVRUJoTUMKUTA0eEVUQVBCZ05WQkFnTUNITnBZMmgxWVc1bk1SQXdEZ1lEVlFRSERBZGphR1Z1WjJSMU1Rd3dDZ1lEVlFRSwpEQU42ZEdVeERqQU1CZ05WQkFzTUJYcGxibUZ3TVRnd05nWURWUVFEREM5YVZFVWdUM0JsYmxCaGJHVjBkR1VnClVtOXZkQ0JEWlhKMGFXWnBZMkYwWlNCQmRYUm9iM0pwZEhrZ01qQXhOekFlRncweE56QXpNVGN3TVRVMk1qQmEKRncweU56QXpNVFV3TVRVMk1qQmFNSUdLTVFzd0NRWURWUVFHRXdKRFRqRVJNQThHQTFVRUNBd0ljMmxqYUhWaApibWN4RURBT0JnTlZCQWNNQjJOb1pXNW5aSFV4RERBS0JnTlZCQW9NQTNwMFpURU9NQXdHQTFVRUN3d0ZlbVZ1CllYQXhPREEyQmdOVkJBTU1MMXBVUlNCUGNHVnVVR0ZzWlhSMFpTQlNiMjkwSUVObGNuUnBabWxqWVhSbElFRjEKZEdodmNtbDBlU0F5TURFM01JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBMjNMSwpFcTU2cFZ6c1JiWUo2Tk1kazgyUWZMam5wK2Y3S3pkUTQ2U2Z3bGRHM2dtaXBhc1B3RFhWOWpUOUZ2VWxYOHMvCm1ScGhPeXVaN3ZEekwyUWpsUy9GQkFUVFdySjJWQ0ptQlZselZ1NFNUWjZZcnhwUXJTQWFsR2tpWWQ5dVQyWXQKMnF1TlVQQ3NaU2xKOHFKQ1lzMDk4YkoyWFRzSzBKQmJ5OTRqM25UZHZOV2hoRXJyaGVXZEcvQ0hqZTMyc0tvZwo2QnhONEd6TWVaMmZVZDB2S3NxQnM4OU0wcEFwZGpwUk1xRUdIZytMcmk0aWlFOWtLYS9ZOFMzVjZnZ0paamJwCjd4czdOMG1peS9wYWVvc2pmRmU1VTZtaHVtVVNaUEZ5OHVlQWdHeHFCa3d2TEp3Q1kzSFljcnNGR2FYVHUrYzMKcDJxMUFkeWdpZjFoNDNIcnZRSURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBYi9jZ21zQ3h2UW12dQo1ZTRncG41V0VNbzBrN0Y2SUFnaGQ4MTM5aTl2bXRRODhyZVladmZpVnNwLzVaak5uTmo3NWxMYmpqZXhEa1BBCmJkbkFpSmZSS09yTWFQcVk2QmVtNHY4bFB1MUIva2oxdW1uNEJYT0NDMWtwY0gvMkpDbXZJOHVoNDlTU2xUOUoKd1VTS1d3OFFoeTlYS042OTJ5MDJRWmtlOVhwMkhvRnZNVWxudGdsbVFVSVJPNWVCWUxRQ1NXcGZ2L2l5TXM2dwphcjdUazFwMnJVUnBSaDAyUDdXRlE1ajVmeFhFT3JrTVQ3Rlg4MEVCM0FkZFN0aHN0ajJpRGxVY3FmRzNqWEgvCkZBNXIxcTQ1a01VYU1ZeFY5V0lFNjdWdDBSYXhyVUpZV0RSMmtEU1NveDdMUjVHcGpXaVNsUEFmY0xDZVZ1QTMKM2xSN2xXL0oKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
namespace: emVuYXA=
token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1Z6TDNObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSjZaVzVoY0NJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZqY21WMExtNWhiV1VpT2lKa1pXWmhkV3gwTFhSdmEyVnVMWGczYW1KeElpd2lhM1ZpWlhKdVpYUmxjeTVwYnk5elpYSjJhV05sWVdOamIzVnVkQzl6WlhKMmFXTmxMV0ZqWTI5MWJuUXVibUZ0WlNJNkltUmxabUYxYkhRaUxDSnJkV0psY201bGRHVnpMbWx2TDNObGNuWnBZMlZoWTJOdmRXNTBMM05sY25acFkyVXRZV05qYjNWdWRDNTFhV1FpT2lKak1XRmxOak5tT0Mwd05XVTFMVEV4WldFdFltVTJaUzFtWVRFMk0yVTFObVprWm1ZaUxDSnpkV0lpT2lKemVYTjBaVzA2YzJWeWRtbGpaV0ZqWTI5MWJuUTZlbVZ1WVhBNlpHVm1ZWFZzZENKOS5UWjlwMVZTQkY2c09DakZMakl2dkZZSzlncEpDSlJNR0l0VGpMZHF6SmhBcFdXTkVxUS1UZmp6MGoxZXpqWEswVE1NTloxUTFZNE9TTmVpb3dwaExYRE1Vcnh0NzBDMk5NOVhRWi1uYnhiWkNYb1laczgzamxGNTA0MERQUDdBM2xzQ3B2a0M1cTdwZkFFRUhwMnR5VTNsR1RfRTV0NV9wNWQzclJ0OTcwdHRBVElYSTMtYzE0ZHJUdC15eDNGV1QySjJ3S0E0NVRjMDFhdzctTTdMZmFreDV2YzBiVFR1VFpmOHZQaFhmR1ZHazR2Yy1JM2dVdDcwSXRQdU5razJNVmtkQlExWnNyb2V0MzVOYmdaQUR6c0RBUjJicnF0N1JKTXBrRkZjbnd4MkxrNjNFMFNRa25paTgyZTQ0SDV1dzlGRDdjQUd4V3RoMzdqaUoyUE9DSGc=
kind: Secret
metadata:
annotations:
kubernetes.io/service-account.name: default
kubernetes.io/service-account.uid: c1ae63f8-05e5-11ea-be6e-fa163e56fdff
creationTimestamp: "2019-11-13T07:18:14Z"
name: default-token-x7jbq
namespace: ns1
resourceVersion: "4400"
selfLink: /api/v1/namespaces/ns1/secrets/default-token-x7jbq
uid: c1b377cc-05e5-11ea-be6e-fa163e56fdff
type: kubernetes.io/service-account-token
istio生成secrets
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
kubectl get secrets/istio.default -n ns1 -o yaml
apiVersion: v1
data:
cert-chain.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHekNDQWdPZ0F3SUJBZ0lRZGYycGRldjg3djFoQXhyclhyZmE4REFOQmdrcWhraUc5dzBCQVFzRkFEQVkKTVJZd0ZBWURWUVFLRXcxamJIVnpkR1Z5TG14dlkyRnNNQjRYRFRJd01ETXhPVEV4TlRrd05Gb1hEVEl3TURZeApOekV4TlRrd05Gb3dBRENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFMNk1DTU9VCjJ2TVVsT2ZkNko0a3FJN1A5QjkyQm1Xc1NTaTVmS3dPSU8xMlFJaTFibmpnRXNieHJRaUlRYjYzbTlTM2hmL1EKb2ZML1QxMkljTnZrOEU4MDh4V2U0U1E0aG8rT0pQNnk4T0c5b242Rk1HY1VmMEJUTHQrSHFHV3lhQjBGQ2dwYwo1VmtHa3RLeWhUSHVYU1VUQ3RsKzlDRUZZOFYrZzM5N3VNRDdES1p6MVZRa2pZYThmaVdUS1VZSGgyN0dFN1EyCldqTEFWbHh3cFNpYnYyOURDdVE1OGFHa1UxNFA4ZW1uTy9KVjlHUTY2OWR1SENRa0o1dHVDaENwNGdVeFJSb1UKU0w3aVc1T3ZXOFhZQkFqUXlGV0J1UlFCVVFDMllXYVdDbm13UXhXRDY3Q3h0WXR3c1V2L2UxY3BaR3ZsMy9VUgowRllQa0dDOEtjdnJJSjBDQXdFQUFhTjVNSGN3RGdZRFZSMFBBUUgvQkFRREFnV2dNQjBHQTFVZEpRUVdNQlFHCkNDc0dBUVVGQndNQkJnZ3JCZ0VGQlFjREFqQU1CZ05WSFJNQkFmOEVBakFBTURnR0ExVWRFUUVCL3dRdU1DeUcKS25Od2FXWm1aVG92TDJOc2RYTjBaWEl1Ykc5allXd3Zibk12ZW1WdVlYQXZjMkV2WkdWbVlYVnNkREFOQmdrcQpoa2lHOXcwQkFRc0ZBQU9DQVFFQWUvNnJHTFJ5Sld5QlVzY3JZSUQ0L3UrUXZYTlQ1c3hSNUJobWRDREQ3M0dVCnpXaHl3ZGUyRmwvSXdjY1pWRGRTeWFwdmdCdFd3VERFMS9CNW44LzJsbGlJUTUrNWpIUEpMeFEzZWpOamdLVjIKRUtWVHRSRmRpSjZYemhMaVVwa3Z2YXQ2cGswdE80d05sSnFhTXRwQlRkcHlYTmlCMyttNVc5UnJ5WE5pRWRBKwpyWFhWbHdyMjBNMHVDSHNVY1IvaGRlYys5U0RkTDZYQWl0RXM1dTBDaC9GMUZ4WHdoYzJBem9Vb2pHaFBqa25NCnJkV1hhTFhqclBmMWVxelphUll5YWpiSTJtdVRzak1WMnZKNjduZVBiZk0wRFVmSFVjNEtwM3B1UHpMWW5YT2kKVTNPTFRUMCtBSE1MajZBeU1VZkQ0L0JRU1NBZDlPamYzaTZ5NENTaFhnPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
key.pem: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdm93SXc1VGE4eFNVNTkzb25pU29qcy8wSDNZR1pheEpLTGw4ckE0ZzdYWkFpTFZ1CmVPQVN4dkd0Q0loQnZyZWIxTGVGLzlDaDh2OVBYWWh3MitUd1R6VHpGWjdoSkRpR2o0NGsvckx3NGIyaWZvVXcKWnhSL1FGTXUzNGVvWmJKb0hRVUtDbHpsV1FhUzByS0ZNZTVkSlJNSzJYNzBJUVZqeFg2RGYzdTR3UHNNcG5QVgpWQ1NOaHJ4K0paTXBSZ2VIYnNZVHREWmFNc0JXWEhDbEtKdS9iME1LNURueG9hUlRYZy94NmFjNzhsWDBaRHJyCjEyNGNKQ1FubTI0S0VLbmlCVEZGR2hSSXZ1SmJrNjlieGRnRUNORElWWUc1RkFGUkFMWmhacFlLZWJCREZZUHIKc0xHMWkzQ3hTLzk3Vnlsa2ErWGY5UkhRVmcrUVlMd3B5K3NnblFJREFRQUJBb0lCQUhYWHZ2Zk9VSmF5N09CMQpRZzdEMXliemZ5UVI1eVRzSnhhem1HSUVIdU1kRmc0MlBzc3NzUkF1bVBmRTVQd2hLNU9qcUpDc0kreFhiMnNHCkhkNHd1Vm9UQWg4bDhsRm5UL2pxVFFEa0E4dG9iMTFWMjdoMFdicWJkMHF3NkRsMDI2VE80QVhHcStTaUJ4MmQKWUhpZjFTVS9vSjhnUDdWSVV3cnFFa00rYmVXU2loeCtGUWduYUpUWEJHR0t5WVF2Rkk3OHR0U2lJUGdWS3phLwpDVi9EcWdLUDZsZ2F0aVlBQzNueWVrTGovVnJDOEtjaEF1endjQi82MDJHdjZJZXF0eWNvdGd1aCtlZTFCOFZGCnRNbEtaSDc3cCttb2F6cnVtb0J4MnFuNTVFSnlxa0t2aVRFaVc2TkF3aWdzZVRwN2NWR0tjcVpUOVhWZEdiVkwKTTdSYU14VUNnWUVBKzZ3dEhWUlVrMDRkZDFKak1QcmEyemN4RHNKVzExdzJFOUZQbklvbGR5RHhtcHIyTTN5VwpNd0wwNUx5RURGM2tXYWdmbGR0VDJUVTFqbzU4RlVrUE9aV2VlNmZiTU4zT29uMU5aeWZkS2Z5WE5kT0xwaHZuCmJqZU9mU3lWcW4yVzdacGtRTUMrUVJjb0h5S2t4TmwxSGZmSmJtcVM4U3dKYlRzS0ZDR05EMWNDZ1lFQXdkTEsKOGJDRVF0U0JvdDVJcHk2S0pBcFp0Sm5sU1Z3V2c3b0ptelk3am1oUTNVdnF3L2hWNmF1eG1oczNpUExjc1ROdgpCS3ZDUWhKYWMwQmdNTXhvdjdTUXlpbi9aNHBnS0hidHArVVN5UFhPMHRyS0hVZjlKcVZ0N2o2OExZM3dmVHVMCjdXZCtURXJTWGl4NGRac0FKd1NteEIwTlFIWmptTkl0ZnZjRHV5c0NnWUJuemFsQitxRnpySGw4Mks5dTZWalIKcUI4RTNtVmhLSGhwamlDUENXL1FoZmNBOUw5dGx3cUFlY3kyZDRiamJ1cWJqRHVTM01ibHhRdVZBL0hyK1psYwovL2hCT29ldXpSM0lhWFErZ3ZPMnVLZEpuVHB4UmZzYnU3QjZzcVA4a1JacVpBN0xvblFXZHMybW9leGlBT3RNCmRBSlNGNFVLRWtiRkZkL2ZVOE5SdXdLQmdRQ2ZuNDg5anFiT054N3dWK296clJOZGJSekZyTHgxTng3ZnExWC8KK3FEL3ZnOWl3UVArRXNZR1pEMG04bVZCSnVuMEVhekxodnk3MTB1Z2dSTDIvVkVER0p6cHNiN0NzZVpSVE9pYQpqZ0J6ZW1TenFEWXQrVHlXR0VXNW9QYnUrV2RtYTZUb2hvUXdKcXFybmlveWlNMk9WTGxXNTZvalBaejJuWm1VClo3QXQ4d0tCZ1FEZ2kyRW9MSW9MQkFLVG92c1RuMTUvWithU05kT3IrQWtpV0E0VWl3TUNsYWl2eGFXaDJpdVcKdFd3allCMGRNNVV4WVM3NWorbTlvZzVHZ3hBYUZNaFJoVFFyVkN3bWV3Lzc2ajJjU2dJTWppOVJ2UGVJYWF4VApsM2VVTEdMWFBPdW9ER0FsdXNBeGJGcEQzQ3crUENVc29CaVdOakhOQmlZZDBzdXlrVSsrbFE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
root-cert.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMzakNDQWNhZ0F3SUJBZ0lSQU9wRnhlRnpLbExKakJoTHg3VmVWS0l3RFFZSktvWklodmNOQVFFTEJRQXcKR0RFV01CUUdBMVVFQ2hNTlkyeDFjM1JsY2k1c2IyTmhiREFlRncweU1EQXpNVGt4TVRVNE5UbGFGdzB6TURBegpNVGN4TVRVNE5UbGFNQmd4RmpBVUJnTlZCQW9URFdOc2RYTjBaWEl1Ykc5allXd3dnZ0VpTUEwR0NTcUdTSWIzCkRRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRFFHLzI4ZTZtc1FOaDhOa3o1U3lOUHdwV0svb3pJVGhMdzRxUEoKYUdhN3lBdFllYy9jbm84UXpCZ25VK0RteDY4NFhxdE5jSURTWHJ5bE52Y3llR1JuWjY5Tml2MVh2amRWYW1nOQpVQS9mVS9KMFY5Tmt1OGNBNkduSjBkZnhLSDZzZ2FJUzdoc2pQWTM2YVJHeDhTaTFjY09aYWdoUmJQQW1lTW5tCmd2dGRqRDVjc0lwOFNhTXpsdFJKNHU4SFZla2UrRGQvZ01LMGxTalNybU9LK0hUc0xMZk5Xd0Rpb3ZEUVpNQ0QKU29sa1NpUVlnOTRDQUVpdmwyR1NOZzEwdmZCV3I2MzdpVS85bGZENnk3cXY2c1FpeVJlTGZDOGFvOEtMMzEvZwpkV2RUd2IyR3kwV1FwV2w4a2IzTnI0U0RoYzNGcG5wZ2h2U0d2R3UzOEdOcjExalJBZ01CQUFHakl6QWhNQTRHCkExVWREd0VCL3dRRUF3SUNCREFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUIKQVFBcXUvRnBjK2JoRzREbzJEdlQ3UnBQQjA1NXRGRlRhWmJweWUxQklJd2o5a0M0U2o0bmo5NTB1UjZ3Y0dYQgpJSjJxNkJZQUprRDJFKzFobTMxajVkMUx5dDk3R21hUk16Uzhaam9VOTM5OFBDSk80MWF2NnJoeVZpa1c3cUxBCkVCT09aTjJ6RDUxcTJsZjVTN2lPNHhiM2hvOEtSVy9Hd2Q3R2ZhT1NVN1I1a0VTSWFneVdUOTd6WlRoemh5UTAKSUVqcGF6Sm9jc1dSV2k4aFBremhGZnZ3aGFSTko5Tm42NkdJZ3g2YkRJN1BYdFdtTy9kLzRpbWdCN2hwSi9JawozajJzYnQ3QU40YlVneU56aU1xY053UWh5bGZyRUppS2F6U1BuUVZHdENjRGtXOVV0MlcyeUtaTkJ5K3h5S0JTCi8zYXdIVFA0dzVXWHhzdDFFVzNDU1JPcQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
kind: Secret
metadata:
annotations:
istio.io/service-account.name: default
creationTimestamp: "2020-03-19T11:59:04Z"
name: istio.default
namespace: ns1
resourceVersion: "13304687"
selfLink: /api/v1/namespaces/ns1/secrets/istio.default
uid: 075b2323-69d9-11ea-b652-fa163e56fdff
type: istio.io/key-and-cert