背景说明
User Account: 用户,这是有外部独立服务进行管理的,管理员进行私钥的分配,用户可以使用KeyStone或者Goolge账号,甚至一个用户名和密码的文件列表也可以,对于用户的管理集群内部没有一个关联的资源对象,所以用户不能通过集群内部API来进行管理
Service Account: 服务账号,通过kubernetes API 来管理一些用户账号,和namesapces 进行关联的,适用于集群内部运行的应用程序,需要通过API来完成权限认证,所以在集群内部进行权限操作,我们都需要用到ServiceAccount
解决方案
账号查看
查看当前命名空间的SA列表
[root@cka-master ~]# kubectl get sa
NAME SECRETS AGE
default 1 17h
[root@cka-master ~]#
账号创建
[root@cka-master ~]# kubectl create sa app1
serviceaccount/app1 created
[root@cka-master ~]# kubectl get sa
NAME SECRETS AGE
app1 1 6s
default 1 17h
[root@cka-master ~]# kubectl get secrets |grep app1
app1-token-s9brg kubernetes.io/service-account-token 3 45s
[root@cka-master ~]#
每创建一个SA,kubernetes会自动为它创建一个secret,格式为
sa名称-token-xxx
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: ns1
name: sa1
创建Deployment
[root@cka-master ~]# kubectl create deployment web1 --image=nginx
deployment.apps/web1 created
[root@cka-master ~]# kubectl get deployments -o wide
NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR
web1 1/1 1 1 2m22s nginx nginx app=web1
[root@cka-master ~]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
web1-6fbb48567f-5rprr 1/1 Running 0 2m55s 10.244.115.66 cka-node1 <none> <none>
[root@cka-master ~]#
设置服务账号
设置web1使用app1的服务账号身份运行,这会删除原有的pod并创建新的pod
[root@cka-master ~]# kubectl set sa deploy web1 app1
deployment.apps/web1 serviceaccount updated
[root@cka-master ~]# kubectl get deployments -o wide
NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR
web1 1/1 1 1 3m54s nginx nginx app=web1
[root@cka-master ~]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
web1-56d78fb98c-xzxqm 0/1 ContainerCreating 0 14s <none> cka-node2 <none> <none>
web1-6fbb48567f-5rprr 1/1 Running 0 4m 10.244.115.66 cka-node1 <none> <none>
[root@cka-master ~]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
web1-56d78fb98c-xzxqm 0/1 ContainerCreating 0 27s <none> cka-node2 <none> <none>
web1-6fbb48567f-5rprr 1/1 Running 0 4m13s 10.244.115.66 cka-node1 <none> <none>
[root@cka-master ~]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
web1-56d78fb98c-xzxqm 1/1 Running 0 45s 10.244.148.130 cka-node2 <none> <none>
[root@cka-master ~]#
查看服务账号
[root@cka-master ~]# kubectl describe deployments.apps web1|grep -i account
Service Account: app1
[root@cka-master ~]#
角色授权
语法: kubectl create rolebinding 名字 —role=角色名称 —serviceaccount=命名空间名称:服务账号名称
[root@cka-master ~]# kubectl create rolebinding sa-role-binding --role=cluster-admin --serviceaccount=ns1:app1
rolebinding.rbac.authorization.k8s.io/sa-role-binding created
集群授权
语法: kubectl create clusterrolebinding 名字 —clusterrole=角色名称 —serviceaccount=命名空间名称:服务账号名称
[root@cka-master ~]# kubectl create clusterrolebinding sa-cluster-role-binding --clusterrole=cluster-admin --serviceaccount=ns1:app1
clusterrolebinding.rbac.authorization.k8s.io/sa-cluster-role-binding created