背景说明

User Account: 用户,这是有外部独立服务进行管理的,管理员进行私钥的分配,用户可以使用KeyStone或者Goolge账号,甚至一个用户名和密码的文件列表也可以,对于用户的管理集群内部没有一个关联的资源对象,所以用户不能通过集群内部API来进行管理
Service Account: 服务账号,通过kubernetes API 来管理一些用户账号,和namesapces 进行关联的,适用于集群内部运行的应用程序,需要通过API来完成权限认证,所以在集群内部进行权限操作,我们都需要用到ServiceAccount

解决方案

账号查看

查看当前命名空间的SA列表

  1. [root@cka-master ~]# kubectl get sa
  2. NAME      SECRETS   AGE
  3. default   1         17h
  4. [root@cka-master ~]#

账号创建

  1. [root@cka-master ~]# kubectl create sa app1
  2. serviceaccount/app1 created
  3. [root@cka-master ~]# kubectl get sa
  4. NAME      SECRETS   AGE
  5. app1      1         6s
  6. default   1         17h
  7. [root@cka-master ~]# kubectl get secrets |grep app1
  8. app1-token-s9brg      kubernetes.io/service-account-token   3      45s
  9. [root@cka-master ~]#

每创建一个SA,kubernetes会自动为它创建一个secret,格式为sa名称-token-xxx

  1. apiVersion: v1 
  2. kind: ServiceAccount 
  3. metadata:  
  4. namespace: ns1
  5.   name: sa1

创建Deployment

[root@cka-master ~]# kubectl create deployment web1 --image=nginx
deployment.apps/web1 created
[root@cka-master ~]# kubectl get deployments -o wide
NAME   READY   UP-TO-DATE   AVAILABLE   AGE     CONTAINERS   IMAGES   SELECTOR
web1   1/1     1            1           2m22s   nginx        nginx    app=web1
[root@cka-master ~]# kubectl get pods -o wide
NAME                    READY   STATUS    RESTARTS   AGE     IP              NODE        NOMINATED NODE   READINESS GATES
web1-6fbb48567f-5rprr   1/1     Running   0          2m55s   10.244.115.66   cka-node1   <none>           <none>
[root@cka-master ~]#

设置服务账号
设置web1使用app1的服务账号身份运行,这会删除原有的pod并创建新的pod

[root@cka-master ~]# kubectl set sa  deploy web1 app1
deployment.apps/web1 serviceaccount updated
[root@cka-master ~]# kubectl get deployments -o wide
NAME   READY   UP-TO-DATE   AVAILABLE   AGE     CONTAINERS   IMAGES   SELECTOR
web1   1/1     1            1           3m54s   nginx        nginx    app=web1
[root@cka-master ~]# kubectl get pods -o wide
NAME                    READY   STATUS              RESTARTS   AGE   IP              NODE        NOMINATED NODE   READINESS GATES
web1-56d78fb98c-xzxqm   0/1     ContainerCreating   0          14s   <none>          cka-node2   <none>           <none>
web1-6fbb48567f-5rprr   1/1     Running             0          4m    10.244.115.66   cka-node1   <none>           <none>
[root@cka-master ~]# kubectl get pods -o wide
NAME                    READY   STATUS              RESTARTS   AGE     IP              NODE        NOMINATED NODE   READINESS GATES
web1-56d78fb98c-xzxqm   0/1     ContainerCreating   0          27s     <none>          cka-node2   <none>           <none>
web1-6fbb48567f-5rprr   1/1     Running             0          4m13s   10.244.115.66   cka-node1   <none>           <none>
[root@cka-master ~]# kubectl get pods -o wide
NAME                    READY   STATUS    RESTARTS   AGE   IP               NODE        NOMINATED NODE   READINESS GATES
web1-56d78fb98c-xzxqm   1/1     Running   0          45s   10.244.148.130   cka-node2   <none>           <none>
[root@cka-master ~]#

查看服务账号

[root@cka-master ~]# kubectl describe deployments.apps web1|grep -i  account
  Service Account:  app1
[root@cka-master ~]#

角色授权

语法: kubectl create rolebinding 名字 —role=角色名称 —serviceaccount=命名空间名称:服务账号名称

[root@cka-master ~]# kubectl create rolebinding sa-role-binding --role=cluster-admin --serviceaccount=ns1:app1
rolebinding.rbac.authorization.k8s.io/sa-role-binding created

集群授权

语法: kubectl create clusterrolebinding 名字 —clusterrole=角色名称 —serviceaccount=命名空间名称:服务账号名称

[root@cka-master ~]# kubectl create clusterrolebinding  sa-cluster-role-binding --clusterrole=cluster-admin --serviceaccount=ns1:app1
clusterrolebinding.rbac.authorization.k8s.io/sa-cluster-role-binding created