Kubernetes RBAC 之 ServiceAccount

千度20162024-07-12 22:03

Kubernetes RBAC 之 ServiceAccount

定义

RABC 英文全称是 Role-Based Access Control,它通过角色绑定账户,来使得账户拥有某些操控 K8S 集群的权限。ServiceAccount 是集群内部 Pod 访问集群所使用的服务账户,它包括了 Namespace、Token、Ca 证书,并且通过目录挂载的方式绑定 Pod。当 Pod 运行起来的时候,就会使用这些信息与 ApiServer 进行通信。

使用

  1. 创建 sa 账户 sa-test

    shell 复制代码 
    kubectl create sa sa-test

  2. 创建绑定 sa-test 账户的 Pod

    yaml 复制代码 
    apiVersion: v1
kind: Pod
metadata:
  name: rbac-sa
  namespace: default
  labels:
    app:  nginx
spec:
  serviceAccountName: sa-test
  containers:
    - name:  curl-nginx
      ports:
        - containerPort: 80
      image: curl-nginx:1.0
      imagePullPolicy: IfNotPresent

  3. 访问新建立 Pod,发现没有权限访问 ApiServer

    复制代码 
    root@k8s-master1:~# kubectl exec -it rbac-sa -- /bin/sh
/ # cd /var/run/secrets/kubernetes.io/serviceaccount/
/var/run/secrets/kubernetes.io/serviceaccount # ls -l
total 0
lrwxrwxrwx    1 root     root            13 Jul  6 02:59 ca.crt -> ..data/ca.crt
lrwxrwxrwx    1 root     root            16 Jul  6 02:59 namespace -> ..data/namespace
lrwxrwxrwx    1 root     root            12 Jul  6 02:59 token -> ..data/token

/var/run/secrets/kubernetes.io/serviceaccount # curl --cacert ./ca.crt  -H "Authorization: Bearer $(cat ./token)"  https://kubernetes/api/v1/namespaces/kube-system
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "namespaces \"kube-system\" is forbidden: User \"system:serviceaccount:default:sa-test\" cannot get resource \"namespaces\" in API group \"\" in the namespace \"kube-system\"",
  "reason": "Forbidden",
  "details": {
    "name": "kube-system",
    "kind": "namespaces"
  },
  "code": 403
}
/var/run/secrets/kubernetes.io/serviceaccount #

  4. 赋予 sa-test 权限

    复制代码 
    root@k8s-master1:~# kubectl create clusterrolebinding sa-test-admin --clusterrole=cluster-admin  --serviceaccount=default:sa-test
clusterrolebinding.rbac.authorization.k8s.io/sa-test-admin created

  5. 再次访问

    复制代码 
    root@k8s-master1:~# kubectl exec -it rbac-sa -- /bin/sh
/ # curl --cacert ./ca.crt  -H "Authorization: Bearer $(cat ./token)"  https://kubernetes/api/v1/namespaces/kube-system
/var/run/secrets/kubernetes.io/serviceaccount # curl --cacert ./ca.crt  -H "Authorization: Bearer $(cat ./token)"  https://kubernetes/api/v1/namespaces/kube-system
{
  "kind": "Namespace",
  "apiVersion": "v1",
  "metadata": {
    "name": "kube-system",
    "uid": "6a42a1bb-6375-4658-9948-7f395e509197",
    "resourceVersion": "26",
    "creationTimestamp": "2024-05-13T00:41:10Z",
    "labels": {
      "kubernetes.io/metadata.name": "kube-system"
    },
    "managedFields": [
      {
        "manager": "kube-apiserver",
        "operation": "Update",
        "apiVersion": "v1",
        "time": "2024-05-13T00:41:10Z",
        "fieldsType": "FieldsV1",
        "fieldsV1": {
          "f:metadata": {
            "f:labels": {
              ".": {},
              "f:kubernetes.io/metadata.name": {}
            }
          }
        }
      }
    ]
  },
  "spec": {
    "finalizers": [
      "kubernetes"
    ]
  },
  "status": {
    "phase": "Active"
  }
}/var/run/secrets/kubernetes.io/serviceaccount #
相关推荐
ringking12326 分钟前
docker源文件配置以及密钥文件
运维·docker·容器
编织幻境的妖28 分钟前
Docker和Kubernetes 常用命令
docker·容器·kubernetes
❀͜͡傀儡师3 小时前
docker-compose一键部署Hadoop集群
hadoop·docker·容器
java_logo4 小时前
BUSYBOX Docker 容器化部署指南
java·运维·python·nginx·docker·容器·运维开发
Linux运维技术栈7 小时前
从Docker到宝塔:Magento2 2.3.5 安装全流程踩坑与成功实践
运维·adobe·docker·容器·magento2
_abcdef7 小时前
Kubernetes 资源清单
云原生·容器·kubernetes
大心匠7 小时前
docker安装Nodered连接homeassistant
docker·容器·homeassistant·nodered·排查故障
奋斗的蛋黄8 小时前
KEDA 深度解析:K8s 事件驱动自动扩缩容的核心实践
云原生·容器·kubernetes
ITVV9 小时前
Docker 安装配置
运维·docker·容器
言慢行善12 小时前
Docker
运维·docker·容器
热门推荐
01GitHub 镜像站点02UV安装并设置国内源03BongoCat - 跨平台键盘猫动画工具04安娜的档案(Anna’s Archive) 镜像网站/国内最新可访问入口(持续更新)05Linux下V2Ray安装配置指南06Valdi:Snapchat 开源的新一代跨平台 UI 框架07Labelme从安装到标注:零基础完整指南08Visual Studio Code设置个性化背景教程092025 最新教程:注册并切换到美区 Apple ID10在VSCode配置Java开发环境的保姆级教程(适配各类AI编程IDE)