kubernetes之Service Account

Service Account概念的引入是基于这样的使用场景:运行在pod里的进程需要调用Kubernetes API以及非Kubernetes API的其它服务。Service Account它并不是给kubernetes集群的用户使用的,而是给pod里面的进程使用的,它为pod提供必要的身份认证。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
➜  nexus kubectl get sa
NAME      SECRETS   AGE
default   1         18d
➜  nexus 
➜  nexus kubectl get sa --all-namespaces 
NAMESPACE     NAME                   SECRETS   AGE
default       default                1         18d
kube-public   default                1         18d
kube-system   admin-user             1         9d
kube-system   coredns                1         13d
kube-system   default                1         18d
kube-system   heapster               1         9d
kube-system   kubernetes-dashboard   1         9d
➜  nexus

如果kubernetes api开启了ServiceAccount(–admission_control=…,ServiceAccount,… )

1
2
3
4
5
6
7
8
9
10
11
12
➜  nexus vim /usr/lib/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target

[Service]
ExecStart=/data/kubernetes/bin/kube-apiserver \
  --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,NodeRestriction \
  --bind-address=192.168.0.14 \
  --insecure-bind-address=127.0.0.1 \
  .......

那么会在每个namespace下面都会创建一个默认的default的sa。
如下,其中最重要的就是secrets,每个sa下面都会拥有的一个加密的token。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
➜  nexus kubectl get sa default 
NAME      SECRETS   AGE
default   1         18d
➜  nexus 
➜  nexus kubectl get sa default -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: 2018-06-07T07:52:58Z
  name: default
  namespace: default
  resourceVersion: "149"
  selfLink: /api/v1/namespaces/default/serviceaccounts/default
  uid: cb4da2fd-6a27-11e8-8209-5254004f2222
secrets:
- name: default-token-fck44
➜  nexus

当用户在该namespace下创建pod的时候都会默认使用这个sa,下面是get pod -o yaml截取的部分,可以看到kubernetes会把默认的sa挂载到容器内。

1
2
3
4
5
6
7
8
volumes:
  - name: nexus-data
    persistentVolumeClaim:
      claimName: nexus3-data-pvc
  - name: default-token-fck44
    secret:
      defaultMode: 420
      secretName: default-token-fck44

具体看一下secret

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
➜  nexus kubectl get secret                     
NAME                  TYPE                                  DATA      AGE
default-token-fck44   kubernetes.io/service-account-token   3         18d
registrykey-2.6.2     kubernetes.io/dockerconfigjson        1         3d
registrykey-m262-3    kubernetes.io/dockerconfigjson        1         2d
registrykey-m262-5    kubernetes.io/dockerconfigjson        1         2h
➜  nexus 
➜  nexus kubectl get secret default-token-fck44 -o yaml
apiVersion: v1
data:
  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVVVZFU2V4MnJsdddcUN3NzF5V1RTCjJicjZXbHRHanZsaVJSK1VoWWlGOGJ3ODk2ZGxzVjYvSUtHVDRwUE1zUUV1bmE2RmZEd0Y5V3cxbVFPRE1BWlUKalRUSzA0aXFHdmVSL2RqMitzSTc0SGJnSDA0N2hCb1pXUHhkOVorUHFPeDhYOVZBeUtvMW10aktVTDltOXdsbQovOWc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
  namespace: ZGVmYXVsdA==
  token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1ZdsdsdN3dHZG9URDNrU1RjNEhiWmxzNUZuWmtrbGJ5SmFkT3JnYUlQVWROTE56eUt4OGdINkFkXzYtNjQ3QnhObUdiZGQ0ZXBVSG9Ga0tDZlAxaktid3daYVI4OXRxb1Z3YUhXVnBuVTdkU3hVZkNtZV8waE1Bc1RQRFFfX2xPWWJuX1ZMNjFKSXAydDdBSXRGQjl4c3hnX1pLZEdEWTcwZGI3TEo1Mm01TmRhREgxdEhHX0VGckdiVVI2QmYyLTVsa3JhYl9BTTE0a1NfM19MRWRLSXM3SWc=
kind: Secret
metadata:
  annotations:
    kubernetes.io/service-account.name: default
    kubernetes.io/service-account.uid: cb4da2fd-6a27-11e8-8209-5254004f2222
  creationTimestamp: 2018-06-07T07:52:58Z
  name: default-token-fck44
  namespace: default
  resourceVersion: "146"
  selfLink: /api/v1/namespaces/default/secrets/default-token-fck44
  uid: cb51b5b6-6a27-11e8-8209-5254004f2222
type: kubernetes.io/service-account-token
➜  nexus

上面的内容是经过base64加密过后的,直接进入容器内:

1
2
3
4
5
6
7
8
9
10
11
➜  nexus kubectl get pod              
NAME                              READY     STATUS    RESTARTS   AGE
nexus3-68f55d9746-vfnf8           1/1       Running   0          3d
rbd-rest-api-registrykey-m262-1   1/1       Running   0          3d
➜  nexus 
➜  nexus kubectl exec nexus3-68f55d9746-vfnf8 -it /bin/bash
[root@nexus3-68f55d9746-vfnf8 /]# ls -lth /var/run/secrets/kubernetes.io/serviceaccount
total 0
lrwxrwxrwx. 1 root root 13 Jun 21 21:29 ca.crt -> ..data/ca.crt
lrwxrwxrwx. 1 root root 16 Jun 21 21:29 namespace -> ..data/namespace
lrwxrwxrwx. 1 root root 12 Jun 21 21:29 token -> ..data/token

可以看到已将ca.crt 、namespace和token放到容器内了,那么这个容器就可以通过https的请求访问apiserver了。

k8s
k8s

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!