Kubernetes RBAC 之 ServiceAccount

Kubernetes RBAC 之 ServiceAccount

定义

RABC 英文全称是 Role-Based Access Control,它通过角色绑定账户,来使得账户拥有某些操控 K8S 集群的权限。ServiceAccount 是集群内部 Pod 访问集群所使用的服务账户,它包括了 Namespace、Token、Ca 证书,并且通过目录挂载的方式绑定 Pod。当 Pod 运行起来的时候,就会使用这些信息与 ApiServer 进行通信。

使用

  1. 创建 sa 账户 sa-test

    shell 复制代码
    kubectl create sa sa-test
  2. 创建绑定 sa-test 账户的 Pod

    yaml 复制代码
    apiVersion: v1
    kind: Pod
    metadata:
      name: rbac-sa
      namespace: default
      labels:
        app:  nginx
    spec:
      serviceAccountName: sa-test
      containers:
        - name:  curl-nginx
          ports:
            - containerPort: 80
          image: curl-nginx:1.0
          imagePullPolicy: IfNotPresent
  3. 访问新建立 Pod,发现没有权限访问 ApiServer

    root@k8s-master1:~# kubectl exec -it rbac-sa -- /bin/sh
    / # cd /var/run/secrets/kubernetes.io/serviceaccount/
    /var/run/secrets/kubernetes.io/serviceaccount # ls -l
    total 0
    lrwxrwxrwx    1 root     root            13 Jul  6 02:59 ca.crt -> ..data/ca.crt
    lrwxrwxrwx    1 root     root            16 Jul  6 02:59 namespace -> ..data/namespace
    lrwxrwxrwx    1 root     root            12 Jul  6 02:59 token -> ..data/token
    
    /var/run/secrets/kubernetes.io/serviceaccount # curl --cacert ./ca.crt  -H "Authorization: Bearer $(cat ./token)"  https://kubernetes/api/v1/namespaces/kube-system
    {
      "kind": "Status",
      "apiVersion": "v1",
      "metadata": {},
      "status": "Failure",
      "message": "namespaces \"kube-system\" is forbidden: User \"system:serviceaccount:default:sa-test\" cannot get resource \"namespaces\" in API group \"\" in the namespace \"kube-system\"",
      "reason": "Forbidden",
      "details": {
        "name": "kube-system",
        "kind": "namespaces"
      },
      "code": 403
    }
    /var/run/secrets/kubernetes.io/serviceaccount #
    
  4. 赋予 sa-test 权限

    root@k8s-master1:~# kubectl create clusterrolebinding sa-test-admin --clusterrole=cluster-admin  --serviceaccount=default:sa-test
    clusterrolebinding.rbac.authorization.k8s.io/sa-test-admin created
    
  5. 再次访问

    root@k8s-master1:~# kubectl exec -it rbac-sa -- /bin/sh
    / # curl --cacert ./ca.crt  -H "Authorization: Bearer $(cat ./token)"  https://kubernetes/api/v1/namespaces/kube-system
    /var/run/secrets/kubernetes.io/serviceaccount # curl --cacert ./ca.crt  -H "Authorization: Bearer $(cat ./token)"  https://kubernetes/api/v1/namespaces/kube-system
    {
      "kind": "Namespace",
      "apiVersion": "v1",
      "metadata": {
        "name": "kube-system",
        "uid": "6a42a1bb-6375-4658-9948-7f395e509197",
        "resourceVersion": "26",
        "creationTimestamp": "2024-05-13T00:41:10Z",
        "labels": {
          "kubernetes.io/metadata.name": "kube-system"
        },
        "managedFields": [
          {
            "manager": "kube-apiserver",
            "operation": "Update",
            "apiVersion": "v1",
            "time": "2024-05-13T00:41:10Z",
            "fieldsType": "FieldsV1",
            "fieldsV1": {
              "f:metadata": {
                "f:labels": {
                  ".": {},
                  "f:kubernetes.io/metadata.name": {}
                }
              }
            }
          }
        ]
      },
      "spec": {
        "finalizers": [
          "kubernetes"
        ]
      },
      "status": {
        "phase": "Active"
      }
    }/var/run/secrets/kubernetes.io/serviceaccount #
    
相关推荐
coco_1998_210 分钟前
nvidia docker, nvidia docker2, nvidia container toolkits区别
docker·容器
vvw&1 小时前
Docker Build 命令详解:在 Ubuntu 上构建 Docker 镜像教程
linux·运维·服务器·ubuntu·docker·容器·开源
是芽芽哩!2 小时前
【Kubernetes 指南】基础入门——Kubernetes 基本概念(二)
云原生·容器·kubernetes
X__cheng4 小时前
【C++】list模拟实现
c++·容器
怡雪~4 小时前
k8s使用ceph
ceph·容器·kubernetes
运维小文5 小时前
K8S中的服务质量QOS
云原生·容器·kubernetes
华为云开发者联盟5 小时前
Karmada v1.12 版本发布!单集群应用迁移可维护性增强
云原生·kubernetes·开源·容器编排·karmada
Hadoop_Liang5 小时前
Kubernetes Secret的创建与使用
云原生·容器·kubernetes
-指短琴长-5 小时前
Docker之技术架构【八大架构演进之路】
docker·容器·架构
元气满满的热码式5 小时前
K8S集群部署实战(超详细)
云原生·容器·kubernetes