Kubernetes RBAC 之 ServiceAccount

Kubernetes RBAC 之 ServiceAccount

定义

RABC 英文全称是 Role-Based Access Control,它通过角色绑定账户,来使得账户拥有某些操控 K8S 集群的权限。ServiceAccount 是集群内部 Pod 访问集群所使用的服务账户,它包括了 Namespace、Token、Ca 证书,并且通过目录挂载的方式绑定 Pod。当 Pod 运行起来的时候,就会使用这些信息与 ApiServer 进行通信。

使用

  1. 创建 sa 账户 sa-test

    shell 复制代码
    kubectl create sa sa-test
  2. 创建绑定 sa-test 账户的 Pod

    yaml 复制代码
    apiVersion: v1
    kind: Pod
    metadata:
      name: rbac-sa
      namespace: default
      labels:
        app:  nginx
    spec:
      serviceAccountName: sa-test
      containers:
        - name:  curl-nginx
          ports:
            - containerPort: 80
          image: curl-nginx:1.0
          imagePullPolicy: IfNotPresent
  3. 访问新建立 Pod,发现没有权限访问 ApiServer

    复制代码
    root@k8s-master1:~# kubectl exec -it rbac-sa -- /bin/sh
    / # cd /var/run/secrets/kubernetes.io/serviceaccount/
    /var/run/secrets/kubernetes.io/serviceaccount # ls -l
    total 0
    lrwxrwxrwx    1 root     root            13 Jul  6 02:59 ca.crt -> ..data/ca.crt
    lrwxrwxrwx    1 root     root            16 Jul  6 02:59 namespace -> ..data/namespace
    lrwxrwxrwx    1 root     root            12 Jul  6 02:59 token -> ..data/token
    
    /var/run/secrets/kubernetes.io/serviceaccount # curl --cacert ./ca.crt  -H "Authorization: Bearer $(cat ./token)"  https://kubernetes/api/v1/namespaces/kube-system
    {
      "kind": "Status",
      "apiVersion": "v1",
      "metadata": {},
      "status": "Failure",
      "message": "namespaces \"kube-system\" is forbidden: User \"system:serviceaccount:default:sa-test\" cannot get resource \"namespaces\" in API group \"\" in the namespace \"kube-system\"",
      "reason": "Forbidden",
      "details": {
        "name": "kube-system",
        "kind": "namespaces"
      },
      "code": 403
    }
    /var/run/secrets/kubernetes.io/serviceaccount #
  4. 赋予 sa-test 权限

    复制代码
    root@k8s-master1:~# kubectl create clusterrolebinding sa-test-admin --clusterrole=cluster-admin  --serviceaccount=default:sa-test
    clusterrolebinding.rbac.authorization.k8s.io/sa-test-admin created
  5. 再次访问

    复制代码
    root@k8s-master1:~# kubectl exec -it rbac-sa -- /bin/sh
    / # curl --cacert ./ca.crt  -H "Authorization: Bearer $(cat ./token)"  https://kubernetes/api/v1/namespaces/kube-system
    /var/run/secrets/kubernetes.io/serviceaccount # curl --cacert ./ca.crt  -H "Authorization: Bearer $(cat ./token)"  https://kubernetes/api/v1/namespaces/kube-system
    {
      "kind": "Namespace",
      "apiVersion": "v1",
      "metadata": {
        "name": "kube-system",
        "uid": "6a42a1bb-6375-4658-9948-7f395e509197",
        "resourceVersion": "26",
        "creationTimestamp": "2024-05-13T00:41:10Z",
        "labels": {
          "kubernetes.io/metadata.name": "kube-system"
        },
        "managedFields": [
          {
            "manager": "kube-apiserver",
            "operation": "Update",
            "apiVersion": "v1",
            "time": "2024-05-13T00:41:10Z",
            "fieldsType": "FieldsV1",
            "fieldsV1": {
              "f:metadata": {
                "f:labels": {
                  ".": {},
                  "f:kubernetes.io/metadata.name": {}
                }
              }
            }
          }
        ]
      },
      "spec": {
        "finalizers": [
          "kubernetes"
        ]
      },
      "status": {
        "phase": "Active"
      }
    }/var/run/secrets/kubernetes.io/serviceaccount #
相关推荐
gs801401 小时前
记一次多 Agent 架构在单节点 K8s 触发的 PID 耗尽与 Pod 驱逐(Evicted)大摸排
容器·架构·kubernetes
bukeyiwanshui2 小时前
20260701 k8s Metric Server
容器·贪心算法·kubernetes
江湖有缘2 小时前
基于Docker环境部署tillywork开源工作管理工具
docker·容器·开源
鸿儒5174 小时前
MR-50国产化GPU docker配置方法
docker·容器·mr
Zhu7586 小时前
在k8s集群部署ApacheHadoop单节点单数据副本
云原生·容器·kubernetes
摇滚侠6 小时前
云原生 Java 架构师的第一课 K8s+Docker+KubeSphere+DevOps 51-60
java·云原生·kubernetes
bukeyiwanshui6 小时前
20260703 K8s ECShop商城项目
云原生·容器·kubernetes
糖果店的幽灵6 小时前
混沌测试从入门到精通(容器与K8s)
云原生·容器·kubernetes
蜀道山老天师19 小时前
K8s Secret 与 ConfigMap 配置管理及动态更新实战详解
云原生·容器·kubernetes