通过Service Account账号授权实现特定资源的权限分配
1.创建一个sa账号
[root@k8s-master1 sa]
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-sa
namespace: rbac
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
2.编写rbac资源授权yaml文件
[root@k8s-master1 sa]
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: rbac
name: pod-reader
rules:
- apiGroups: ["","apps"]
resources: ["pods","deployments","services"]
verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: rbac
subjects:
- kind: ServiceAccount
name: nginx-sa
namespace: rbac
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
3.编写nginx pod资源并使用sa账号
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: web
namespace: stat`
spec:
serviceName: "web"
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
serviceAccountName: nginx-sa
containers:
- name: nginx
image: nginx:1.17
ports:
- name: web
containerPort: 80
4.创建所有资源并查看
1.创建所有资源
[root@k8s-master1 sa]# kubectl apply -f ./
role.rbac.authorization.k8s.io/pod-reader created
rolebinding.rbac.authorization.k8s.io/read-pods created
serviceaccount/nginx-sa created
statefulset.apps/web created
2.查看sa账号
#sa账号会生成一个token,这个token中保存这根证书ca以及sa用户的证书kube
:q
,用于连接到k8s集群
[root@k8s-master1 sa]# kubectl get sa -n rbac
NAME SECRETS AGE
default 1 4m48s
nginx-sa 1 103s
[root@k8s-master1 sa]# kubectl get secret -n rbac
NAME TYPE DATA AGE
default-token-4fkpj kubernetes.io/service-account-token 3 5m14s
nginx-sa-token-vcrmv kubernetes.io/service-account-token 3 2m9s
3.查看nginx资源中是否关联sa
[root@k8s-master1 sa]# kubectl describe statefulset -n rbac
Name: web
···········
Pod Template:
Labels: app=nginx
Service Account: nginx-sa
···········
|