Service account 是为了方便 Pod 里面的进程调用 Kubernetes API 或其他外部服务而设计的。它与 User account 不同

  • User account 是为人设计的,而 service account 则是为 Pod 中的进程调用 Kubernetes API 而设计;
  • User account 是跨 namespace 的,而 service account 则是仅局限它所在的 namespace;
  • 每个 namespace 都会自动创建一个 default service account
  • Token controller 检测 service account 的创建,并为它们创建 secret

  • 开启 ServiceAccount Admission Controller 后

    • 每个 Pod 在创建后都会自动设置 spec.serviceAccountName 为 default(除非指定了其他 ServiceAccout)
    • 验证 Pod 引用的 service account 已经存在,否则拒绝创建
    • 如果 Pod 没有指定 ImagePullSecrets,则把 service account 的 ImagePullSecrets 加到 Pod 中
    • 每个 container 启动后都会挂载该 service account 的 token 和 ca.crt/var/run/secrets/kubernetes.io/serviceaccount/
  1. $ kubectl exec nginx-3137573019-md1u2 ls /var/run/secrets/kubernetes.io/serviceaccount
  2. ca.crt
  3. namespace
  4. token

注:你可以使用 https://jwt.io/ 来查看 token 的详细信息(如 PAYLOAD、SIGNATURE 等)。

创建 Service Account

  1. $ kubectl create serviceaccount jenkins
  2. serviceaccount "jenkins" created
  3. $ kubectl get serviceaccounts jenkins -o yaml
  4. apiVersion: v1
  5. kind: ServiceAccount
  6. metadata:
  7.   creationTimestamp: 2017-05-27T14:32:25Z
  8.   name: jenkins
  9.   namespace: default
  10.   resourceVersion: "45559"
  11.   selfLink: /api/v1/namespaces/default/serviceaccounts/jenkins
  12.   uid: 4d66eb4c-42e9-11e7-9860-ee7d8982865f
  13. secrets:
  14. - name: jenkins-token-l9v7v

自动创建的 secret:

  1. kubectl get secret jenkins-token-l9v7v -o yaml
  2. apiVersion: v1
  3. data:
  4.   ca.crt: (APISERVER CA BASE64 ENCODED)
  5.   namespace: ZGVmYXVsdA==
  6.   token: (BEARER TOKEN BASE64 ENCODED)
  7. kind: Secret
  8. metadata:
  9.   annotations:
  10.     kubernetes.io/service-account.name: jenkins
  11.     kubernetes.io/service-account.uid: 4d66eb4c-42e9-11e7-9860-ee7d8982865f
  12.   creationTimestamp: 2017-05-27T14:32:25Z
  13.   name: jenkins-token-l9v7v
  14.   namespace: default
  15.   resourceVersion: "45558"
  16.   selfLink: /api/v1/namespaces/default/secrets/jenkins-token-l9v7v
  17.   uid: 4d697992-42e9-11e7-9860-ee7d8982865f
  18. type: kubernetes.io/service-account-token

添加 ImagePullSecrets

  1. apiVersion: v1
  2. kind: ServiceAccount
  3. metadata:
  4.   creationTimestamp: 2015-08-07T22:02:39Z
  5.   name: default
  6.   namespace: default
  7.   selfLink: /api/v1/namespaces/default/serviceaccounts/default
  8.   uid: 052fb0f4-3d50-11e5-b066-42010af0d7b6
  9. secrets:
  10. - name: default-token-uudge
  11. imagePullSecrets:
  12. - name: myregistrykey

授权

Service Account 为服务提供了一种方便的认证机制,但它不关心授权的问题。可以配合 RBAC 来为 Service Account 鉴权:

  • 配置 --authorization-mode=RBAC--runtime-config=rbac.authorization.k8s.io/v1alpha1
  • 配置 --authorization-rbac-super-user=admin
  • 定义 Role、ClusterRole、RoleBinding 或 ClusterRoleBinding

比如

  1. # This role allows to read pods in the namespace "default"
  2. kind: Role
  3. apiVersion: rbac.authorization.k8s.io/v1alpha1
  4. metadata:
  5.   namespace: default
  6.   name: pod-reader
  7. rules:
  8.   - apiGroups: [""] # The API group"" indicates the core API Group.
  9.     resources: ["pods"]
  10.     verbs: ["get", "watch", "list"]
  11.     nonResourceURLs: []
  12. ---
  13. # This role binding allows "default" to read pods in the namespace "default"
  14. kind: RoleBinding
  15. apiVersion: rbac.authorization.k8s.io/v1alpha1
  16. metadata:
  17.   name: read-pods
  18.   namespace: default
  19. subjects:
  20.   - kind: ServiceAccount # May be "User", "Group" or "ServiceAccount"
  21.     name: default
  22. roleRef:
  23.   kind: Role
  24.   name: pod-reader
  25.   apiGroup: rbac.authorization.k8s.io