0
点赞
收藏
分享

微信扫一扫

ServiceAccount 访问API实验

概念

SA账号是Pod内的进程使用的关联服务账号的身份,向集群的 API 服务器进行身份认证。
SA(服务账号)是针对运行在 Pod 中的应用进程而言的, 在 Kubernetes中这些进程运行在容器中,而容器是 Pod 的一部分

配置SA

apiVersion: v1
kind: ServiceAccount
metadata:
  name: sa-test
  namespace: rbac
  resourceVersion: "2023061602"

配置Role,授予操作权限

[root@k8smaster4 sa]# cat rbac-demo01.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: role-demo
  namespace: rbac
  labels:
    environment: test
    app: nginx-demo
rules:
- apiGroups: [""]
  resources: ["pods","pods/log"]
  verbs: ["get","watch","list"]

关联SA和Role,配置Rolebinding

[root@k8smaster4 sa]# cat role-sa.yml 
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: sa-test-1
  namespace: rbac
subjects:
- name: sa-test
  kind: ServiceAccount
roleRef:
  name: role-demo
  kind: Role

关联SA和Pod,授权访问Pod资源

apiVersion: v1
kind: Pod
metadata:
  name: sa-test-demo
  namespace: rbac
  labels:
    environment: test
    app: mynginx
spec:
  serviceAccountName: sa-test
  containers:
  - name: my-nginx
    image: nginx
    imagePullPolicy: IfNotPresent
    ports:
    - containerPort: 80
      name: my-nginx

进入Pod容器,测试访问权限

非授权操作范围,提示 forbidden 及 403
授权范围,返回查询结果

ServiceAccount 访问API实验_serviceaccount

举报

相关推荐

0 条评论