serviceaccount

每个命名空间都有一个名为 default 的服务账户资源。 您可以用下面的命令查询这个服务账户以及命名空间中的其他 serviceAccount 资源:

1
2
3

kubectl get serviceAccounts
NAME      SECRETS    AGE
default   1          1d

创建

您可以像这样来创建额外的 ServiceAccount 对象:

1
2
3
4
5
6
7

kubectl create -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-robot
EOF
serviceaccount/build-robot created

查询

如果您查询服务帐户对象的完整信息,如下所示:

1
2
3
4
5
6
7
8
9
10
11

kubectl get serviceaccounts/build-robot -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: 2015-06-16T00:12:59Z
  name: build-robot
  namespace: default
  resourceVersion: "272500"
  uid: 721ab723-13bc-11e5-aec2-42010af0021e
secrets:
- name: build-robot-token-bvbk5

那么您就能看到系统已经自动创建了一个令牌并且被服务账户所引用。

您可以使用授权插件来 设置服务账户的访问许可。

要使用非默认的服务账户,只需简单的将 Pod 的 spec.serviceAccountName 字段设置为您想用的服务账户名称。

注意:

  • Pod 被创建时服务账户必须存在,否则会被拒绝。
  • 您不能更新已经创建好的 Pod 的服务账户。

删除

您可以清除服务账户,如下所示:

1

kubectl delete serviceaccount/build-robot

secret

假设我们有一个上面提到的名为 build-robot 的服务账户,然后我们手动创建一个新的 Secret

1
2
3
4
5
6
7
8
9
10

kubectl create -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: build-robot-secret
  annotations:
    kubernetes.io/service-account.name: build-robot
type: kubernetes.io/service-account-token
EOF
secret/build-robot-secret created

现在,您可以确认新构建的 Secret 中填充了 build-robot 服务帐户的 API 令牌。

令牌控制器将清理不存在的服务帐户的所有令牌。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

kubectl get secrets/default-token-x7jbq -n ns1 -o yaml
apiVersion: v1
data:
  ca.crt: {base64 encoding of ca.crt data}
  namespace: emVuYXA=
  token: {base64 encoding of bearer token}
kind: Secret
metadata:
  annotations:
    kubernetes.io/service-account.name: default
    kubernetes.io/service-account.uid: c1ae63f8-05e5-11ea-be6e-fa163e56fdff
  creationTimestamp: "2019-11-13T07:18:14Z"
  name: default-token-x7jbq
  namespace: ns1
  resourceVersion: "4400"
  selfLink: /api/v1/namespaces/ns1/secrets/default-token-x7jbq
  uid: c1b377cc-05e5-11ea-be6e-fa163e56fdff
type: kubernetes.io/service-account-token

这个类型为 service-account-tokensecret 资源包含的数据有三部分:ca.crtnamespacetoken

  • ca.crt: API Server的CA公钥证书,用于Pod中的Process对API Server的服务端数字证书进行校验时使用的;
  • namespace: 是Secret所在namespace的值的base64编码:# echo -n “kube-system”|base64 => “emVuYXA=”
  • token: 用API Server私钥签发(sign)的 bearer tokens 的base64编码,在API Server 认证环节,它将派上用场。

使用serviceaccount

当您创建 Pod 时,如果没有指定服务账户,Pod 会被指定命名空间中的 default 服务账户。 如果您查看 Pod 的原始 jsonyaml (例如: kubectl get pods/podname -o yaml ), 您可以看到 spec.serviceAccountName 字段已经被自动设置了。

您可以使用自动挂载给 Pod 的服务账户凭据访问 API,访问集群 中有相关描述。 服务账户的 API 许可取决于您所使用的授权插件和策略。

附录

k8s生成secret

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

kubectl get secrets/default-token-x7jbq -n ns1 -o yaml
apiVersion: v1
data:
  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURrakNDQW5vQ0NRQ0h0TmdvV2FmaUh6QU5CZ2txaGtpRzl3MEJBUXNGQURDQmlqRUxNQWtHQTFVRUJoTUMKUTA0eEVUQVBCZ05WQkFnTUNITnBZMmgxWVc1bk1SQXdEZ1lEVlFRSERBZGphR1Z1WjJSMU1Rd3dDZ1lEVlFRSwpEQU42ZEdVeERqQU1CZ05WQkFzTUJYcGxibUZ3TVRnd05nWURWUVFEREM5YVZFVWdUM0JsYmxCaGJHVjBkR1VnClVtOXZkQ0JEWlhKMGFXWnBZMkYwWlNCQmRYUm9iM0pwZEhrZ01qQXhOekFlRncweE56QXpNVGN3TVRVMk1qQmEKRncweU56QXpNVFV3TVRVMk1qQmFNSUdLTVFzd0NRWURWUVFHRXdKRFRqRVJNQThHQTFVRUNBd0ljMmxqYUhWaApibWN4RURBT0JnTlZCQWNNQjJOb1pXNW5aSFV4RERBS0JnTlZCQW9NQTNwMFpURU9NQXdHQTFVRUN3d0ZlbVZ1CllYQXhPREEyQmdOVkJBTU1MMXBVUlNCUGNHVnVVR0ZzWlhSMFpTQlNiMjkwSUVObGNuUnBabWxqWVhSbElFRjEKZEdodmNtbDBlU0F5TURFM01JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBMjNMSwpFcTU2cFZ6c1JiWUo2Tk1kazgyUWZMam5wK2Y3S3pkUTQ2U2Z3bGRHM2dtaXBhc1B3RFhWOWpUOUZ2VWxYOHMvCm1ScGhPeXVaN3ZEekwyUWpsUy9GQkFUVFdySjJWQ0ptQlZselZ1NFNUWjZZcnhwUXJTQWFsR2tpWWQ5dVQyWXQKMnF1TlVQQ3NaU2xKOHFKQ1lzMDk4YkoyWFRzSzBKQmJ5OTRqM25UZHZOV2hoRXJyaGVXZEcvQ0hqZTMyc0tvZwo2QnhONEd6TWVaMmZVZDB2S3NxQnM4OU0wcEFwZGpwUk1xRUdIZytMcmk0aWlFOWtLYS9ZOFMzVjZnZ0paamJwCjd4czdOMG1peS9wYWVvc2pmRmU1VTZtaHVtVVNaUEZ5OHVlQWdHeHFCa3d2TEp3Q1kzSFljcnNGR2FYVHUrYzMKcDJxMUFkeWdpZjFoNDNIcnZRSURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBYi9jZ21zQ3h2UW12dQo1ZTRncG41V0VNbzBrN0Y2SUFnaGQ4MTM5aTl2bXRRODhyZVladmZpVnNwLzVaak5uTmo3NWxMYmpqZXhEa1BBCmJkbkFpSmZSS09yTWFQcVk2QmVtNHY4bFB1MUIva2oxdW1uNEJYT0NDMWtwY0gvMkpDbXZJOHVoNDlTU2xUOUoKd1VTS1d3OFFoeTlYS042OTJ5MDJRWmtlOVhwMkhvRnZNVWxudGdsbVFVSVJPNWVCWUxRQ1NXcGZ2L2l5TXM2dwphcjdUazFwMnJVUnBSaDAyUDdXRlE1ajVmeFhFT3JrTVQ3Rlg4MEVCM0FkZFN0aHN0ajJpRGxVY3FmRzNqWEgvCkZBNXIxcTQ1a01VYU1ZeFY5V0lFNjdWdDBSYXhyVUpZV0RSMmtEU1NveDdMUjVHcGpXaVNsUEFmY0xDZVZ1QTMKM2xSN2xXL0oKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  namespace: emVuYXA=
  token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1Z6TDNObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSjZaVzVoY0NJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZqY21WMExtNWhiV1VpT2lKa1pXWmhkV3gwTFhSdmEyVnVMWGczYW1KeElpd2lhM1ZpWlhKdVpYUmxjeTVwYnk5elpYSjJhV05sWVdOamIzVnVkQzl6WlhKMmFXTmxMV0ZqWTI5MWJuUXVibUZ0WlNJNkltUmxabUYxYkhRaUxDSnJkV0psY201bGRHVnpMbWx2TDNObGNuWnBZMlZoWTJOdmRXNTBMM05sY25acFkyVXRZV05qYjNWdWRDNTFhV1FpT2lKak1XRmxOak5tT0Mwd05XVTFMVEV4WldFdFltVTJaUzFtWVRFMk0yVTFObVprWm1ZaUxDSnpkV0lpT2lKemVYTjBaVzA2YzJWeWRtbGpaV0ZqWTI5MWJuUTZlbVZ1WVhBNlpHVm1ZWFZzZENKOS5UWjlwMVZTQkY2c09DakZMakl2dkZZSzlncEpDSlJNR0l0VGpMZHF6SmhBcFdXTkVxUS1UZmp6MGoxZXpqWEswVE1NTloxUTFZNE9TTmVpb3dwaExYRE1Vcnh0NzBDMk5NOVhRWi1uYnhiWkNYb1laczgzamxGNTA0MERQUDdBM2xzQ3B2a0M1cTdwZkFFRUhwMnR5VTNsR1RfRTV0NV9wNWQzclJ0OTcwdHRBVElYSTMtYzE0ZHJUdC15eDNGV1QySjJ3S0E0NVRjMDFhdzctTTdMZmFreDV2YzBiVFR1VFpmOHZQaFhmR1ZHazR2Yy1JM2dVdDcwSXRQdU5razJNVmtkQlExWnNyb2V0MzVOYmdaQUR6c0RBUjJicnF0N1JKTXBrRkZjbnd4MkxrNjNFMFNRa25paTgyZTQ0SDV1dzlGRDdjQUd4V3RoMzdqaUoyUE9DSGc=
kind: Secret
metadata:
  annotations:
    kubernetes.io/service-account.name: default
    kubernetes.io/service-account.uid: c1ae63f8-05e5-11ea-be6e-fa163e56fdff
  creationTimestamp: "2019-11-13T07:18:14Z"
  name: default-token-x7jbq
  namespace: ns1
  resourceVersion: "4400"
  selfLink: /api/v1/namespaces/ns1/secrets/default-token-x7jbq
  uid: c1b377cc-05e5-11ea-be6e-fa163e56fdff
type: kubernetes.io/service-account-token

istio生成secrets

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

kubectl get secrets/istio.default -n ns1 -o yaml
apiVersion: v1
data:
  cert-chain.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHekNDQWdPZ0F3SUJBZ0lRZGYycGRldjg3djFoQXhyclhyZmE4REFOQmdrcWhraUc5dzBCQVFzRkFEQVkKTVJZd0ZBWURWUVFLRXcxamJIVnpkR1Z5TG14dlkyRnNNQjRYRFRJd01ETXhPVEV4TlRrd05Gb1hEVEl3TURZeApOekV4TlRrd05Gb3dBRENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFMNk1DTU9VCjJ2TVVsT2ZkNko0a3FJN1A5QjkyQm1Xc1NTaTVmS3dPSU8xMlFJaTFibmpnRXNieHJRaUlRYjYzbTlTM2hmL1EKb2ZML1QxMkljTnZrOEU4MDh4V2U0U1E0aG8rT0pQNnk4T0c5b242Rk1HY1VmMEJUTHQrSHFHV3lhQjBGQ2dwYwo1VmtHa3RLeWhUSHVYU1VUQ3RsKzlDRUZZOFYrZzM5N3VNRDdES1p6MVZRa2pZYThmaVdUS1VZSGgyN0dFN1EyCldqTEFWbHh3cFNpYnYyOURDdVE1OGFHa1UxNFA4ZW1uTy9KVjlHUTY2OWR1SENRa0o1dHVDaENwNGdVeFJSb1UKU0w3aVc1T3ZXOFhZQkFqUXlGV0J1UlFCVVFDMllXYVdDbm13UXhXRDY3Q3h0WXR3c1V2L2UxY3BaR3ZsMy9VUgowRllQa0dDOEtjdnJJSjBDQXdFQUFhTjVNSGN3RGdZRFZSMFBBUUgvQkFRREFnV2dNQjBHQTFVZEpRUVdNQlFHCkNDc0dBUVVGQndNQkJnZ3JCZ0VGQlFjREFqQU1CZ05WSFJNQkFmOEVBakFBTURnR0ExVWRFUUVCL3dRdU1DeUcKS25Od2FXWm1aVG92TDJOc2RYTjBaWEl1Ykc5allXd3Zibk12ZW1WdVlYQXZjMkV2WkdWbVlYVnNkREFOQmdrcQpoa2lHOXcwQkFRc0ZBQU9DQVFFQWUvNnJHTFJ5Sld5QlVzY3JZSUQ0L3UrUXZYTlQ1c3hSNUJobWRDREQ3M0dVCnpXaHl3ZGUyRmwvSXdjY1pWRGRTeWFwdmdCdFd3VERFMS9CNW44LzJsbGlJUTUrNWpIUEpMeFEzZWpOamdLVjIKRUtWVHRSRmRpSjZYemhMaVVwa3Z2YXQ2cGswdE80d05sSnFhTXRwQlRkcHlYTmlCMyttNVc5UnJ5WE5pRWRBKwpyWFhWbHdyMjBNMHVDSHNVY1IvaGRlYys5U0RkTDZYQWl0RXM1dTBDaC9GMUZ4WHdoYzJBem9Vb2pHaFBqa25NCnJkV1hhTFhqclBmMWVxelphUll5YWpiSTJtdVRzak1WMnZKNjduZVBiZk0wRFVmSFVjNEtwM3B1UHpMWW5YT2kKVTNPTFRUMCtBSE1MajZBeU1VZkQ0L0JRU1NBZDlPamYzaTZ5NENTaFhnPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  key.pem: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdm93SXc1VGE4eFNVNTkzb25pU29qcy8wSDNZR1pheEpLTGw4ckE0ZzdYWkFpTFZ1CmVPQVN4dkd0Q0loQnZyZWIxTGVGLzlDaDh2OVBYWWh3MitUd1R6VHpGWjdoSkRpR2o0NGsvckx3NGIyaWZvVXcKWnhSL1FGTXUzNGVvWmJKb0hRVUtDbHpsV1FhUzByS0ZNZTVkSlJNSzJYNzBJUVZqeFg2RGYzdTR3UHNNcG5QVgpWQ1NOaHJ4K0paTXBSZ2VIYnNZVHREWmFNc0JXWEhDbEtKdS9iME1LNURueG9hUlRYZy94NmFjNzhsWDBaRHJyCjEyNGNKQ1FubTI0S0VLbmlCVEZGR2hSSXZ1SmJrNjlieGRnRUNORElWWUc1RkFGUkFMWmhacFlLZWJCREZZUHIKc0xHMWkzQ3hTLzk3Vnlsa2ErWGY5UkhRVmcrUVlMd3B5K3NnblFJREFRQUJBb0lCQUhYWHZ2Zk9VSmF5N09CMQpRZzdEMXliemZ5UVI1eVRzSnhhem1HSUVIdU1kRmc0MlBzc3NzUkF1bVBmRTVQd2hLNU9qcUpDc0kreFhiMnNHCkhkNHd1Vm9UQWg4bDhsRm5UL2pxVFFEa0E4dG9iMTFWMjdoMFdicWJkMHF3NkRsMDI2VE80QVhHcStTaUJ4MmQKWUhpZjFTVS9vSjhnUDdWSVV3cnFFa00rYmVXU2loeCtGUWduYUpUWEJHR0t5WVF2Rkk3OHR0U2lJUGdWS3phLwpDVi9EcWdLUDZsZ2F0aVlBQzNueWVrTGovVnJDOEtjaEF1endjQi82MDJHdjZJZXF0eWNvdGd1aCtlZTFCOFZGCnRNbEtaSDc3cCttb2F6cnVtb0J4MnFuNTVFSnlxa0t2aVRFaVc2TkF3aWdzZVRwN2NWR0tjcVpUOVhWZEdiVkwKTTdSYU14VUNnWUVBKzZ3dEhWUlVrMDRkZDFKak1QcmEyemN4RHNKVzExdzJFOUZQbklvbGR5RHhtcHIyTTN5VwpNd0wwNUx5RURGM2tXYWdmbGR0VDJUVTFqbzU4RlVrUE9aV2VlNmZiTU4zT29uMU5aeWZkS2Z5WE5kT0xwaHZuCmJqZU9mU3lWcW4yVzdacGtRTUMrUVJjb0h5S2t4TmwxSGZmSmJtcVM4U3dKYlRzS0ZDR05EMWNDZ1lFQXdkTEsKOGJDRVF0U0JvdDVJcHk2S0pBcFp0Sm5sU1Z3V2c3b0ptelk3am1oUTNVdnF3L2hWNmF1eG1oczNpUExjc1ROdgpCS3ZDUWhKYWMwQmdNTXhvdjdTUXlpbi9aNHBnS0hidHArVVN5UFhPMHRyS0hVZjlKcVZ0N2o2OExZM3dmVHVMCjdXZCtURXJTWGl4NGRac0FKd1NteEIwTlFIWmptTkl0ZnZjRHV5c0NnWUJuemFsQitxRnpySGw4Mks5dTZWalIKcUI4RTNtVmhLSGhwamlDUENXL1FoZmNBOUw5dGx3cUFlY3kyZDRiamJ1cWJqRHVTM01ibHhRdVZBL0hyK1psYwovL2hCT29ldXpSM0lhWFErZ3ZPMnVLZEpuVHB4UmZzYnU3QjZzcVA4a1JacVpBN0xvblFXZHMybW9leGlBT3RNCmRBSlNGNFVLRWtiRkZkL2ZVOE5SdXdLQmdRQ2ZuNDg5anFiT054N3dWK296clJOZGJSekZyTHgxTng3ZnExWC8KK3FEL3ZnOWl3UVArRXNZR1pEMG04bVZCSnVuMEVhekxodnk3MTB1Z2dSTDIvVkVER0p6cHNiN0NzZVpSVE9pYQpqZ0J6ZW1TenFEWXQrVHlXR0VXNW9QYnUrV2RtYTZUb2hvUXdKcXFybmlveWlNMk9WTGxXNTZvalBaejJuWm1VClo3QXQ4d0tCZ1FEZ2kyRW9MSW9MQkFLVG92c1RuMTUvWithU05kT3IrQWtpV0E0VWl3TUNsYWl2eGFXaDJpdVcKdFd3allCMGRNNVV4WVM3NWorbTlvZzVHZ3hBYUZNaFJoVFFyVkN3bWV3Lzc2ajJjU2dJTWppOVJ2UGVJYWF4VApsM2VVTEdMWFBPdW9ER0FsdXNBeGJGcEQzQ3crUENVc29CaVdOakhOQmlZZDBzdXlrVSsrbFE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
  root-cert.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMzakNDQWNhZ0F3SUJBZ0lSQU9wRnhlRnpLbExKakJoTHg3VmVWS0l3RFFZSktvWklodmNOQVFFTEJRQXcKR0RFV01CUUdBMVVFQ2hNTlkyeDFjM1JsY2k1c2IyTmhiREFlRncweU1EQXpNVGt4TVRVNE5UbGFGdzB6TURBegpNVGN4TVRVNE5UbGFNQmd4RmpBVUJnTlZCQW9URFdOc2RYTjBaWEl1Ykc5allXd3dnZ0VpTUEwR0NTcUdTSWIzCkRRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRFFHLzI4ZTZtc1FOaDhOa3o1U3lOUHdwV0svb3pJVGhMdzRxUEoKYUdhN3lBdFllYy9jbm84UXpCZ25VK0RteDY4NFhxdE5jSURTWHJ5bE52Y3llR1JuWjY5Tml2MVh2amRWYW1nOQpVQS9mVS9KMFY5Tmt1OGNBNkduSjBkZnhLSDZzZ2FJUzdoc2pQWTM2YVJHeDhTaTFjY09aYWdoUmJQQW1lTW5tCmd2dGRqRDVjc0lwOFNhTXpsdFJKNHU4SFZla2UrRGQvZ01LMGxTalNybU9LK0hUc0xMZk5Xd0Rpb3ZEUVpNQ0QKU29sa1NpUVlnOTRDQUVpdmwyR1NOZzEwdmZCV3I2MzdpVS85bGZENnk3cXY2c1FpeVJlTGZDOGFvOEtMMzEvZwpkV2RUd2IyR3kwV1FwV2w4a2IzTnI0U0RoYzNGcG5wZ2h2U0d2R3UzOEdOcjExalJBZ01CQUFHakl6QWhNQTRHCkExVWREd0VCL3dRRUF3SUNCREFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUIKQVFBcXUvRnBjK2JoRzREbzJEdlQ3UnBQQjA1NXRGRlRhWmJweWUxQklJd2o5a0M0U2o0bmo5NTB1UjZ3Y0dYQgpJSjJxNkJZQUprRDJFKzFobTMxajVkMUx5dDk3R21hUk16Uzhaam9VOTM5OFBDSk80MWF2NnJoeVZpa1c3cUxBCkVCT09aTjJ6RDUxcTJsZjVTN2lPNHhiM2hvOEtSVy9Hd2Q3R2ZhT1NVN1I1a0VTSWFneVdUOTd6WlRoemh5UTAKSUVqcGF6Sm9jc1dSV2k4aFBremhGZnZ3aGFSTko5Tm42NkdJZ3g2YkRJN1BYdFdtTy9kLzRpbWdCN2hwSi9JawozajJzYnQ3QU40YlVneU56aU1xY053UWh5bGZyRUppS2F6U1BuUVZHdENjRGtXOVV0MlcyeUtaTkJ5K3h5S0JTCi8zYXdIVFA0dzVXWHhzdDFFVzNDU1JPcQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
kind: Secret
metadata:
  annotations:
    istio.io/service-account.name: default
  creationTimestamp: "2020-03-19T11:59:04Z"
  name: istio.default
  namespace: ns1
  resourceVersion: "13304687"
  selfLink: /api/v1/namespaces/ns1/secrets/istio.default
  uid: 075b2323-69d9-11ea-b652-fa163e56fdff
type: istio.io/key-and-cert

References