ServiceAccount
K8S 用户类型
- 人类用户
- 服务用户 ServiceAccount
每个Pods在创建时都会使用一个默认的账户(ServiceAccount)
# kubectl get sa
NAME SECRETS AGE
default 1 14d
# kubectl describe pod myapp-cm-1
Volumes:
default-token-j7vw2:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-j7vw2
Optional: false
每个账户都会有一个对应的secret类型的token,Pods默认使用的就是这个token和APIServer交互
# kubectl get secret
NAME TYPE DATA AGE
default-token-j7vw2 kubernetes.io/service-account-token 3 14d
如果想让某些特定的Pods拥有特定的权限,就需要创建另外一个账户来分配权限了
创建ServiceAccount
# kubectl create sa admin
serviceaccount/admin created
获取创建的账户信息
# kubectl get sa
NAME SECRETS AGE
admin 1 4m
default 1 14d
# kubectl describe sa admin
Name: admin
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: admin-token-dhwn2
Tokens: admin-token-dhwn2
Events: <none>
这里需要注意下Image pull secrets,ServerAccount可以关联定义ImagePullSecret,到时候创建Pod资源时使用特定的账户就可以自动验证拉取镜像了
配置Pods使用admin账户
apiVersion: v1
kind: Pod
metadata:
name: myapp
namespace: default
spec:
containers:
- name: myapp-container
image: ikubernetes/myapp:v1
ports:
- name: http
protocol: TCP
containerPort: 80
serviceAccountName: admin
创建Pods查看其详细信息
# kubectl apply -f sa-myapp-demo.yaml
pod/myapp created
# kubectl describe pods myapp
...
Volumes:
admin-token-dhwn2:
Type: Secret (a volume populated by a Secret)
SecretName: admin-token-dhwn2
Optional: false
...
创建阿里云私有仓库认证
---
apiVersion: v1
kind: Secret
metadata:
# secret 名称,后面ServiceAccount要关联它
name: aliyun-registry
namespace: default
data:
# 这里要特别说明一下
# .dockerconfigjson 字段名是固定的
# 而它的值是来自 cat ~/.docker/config.json | base64
# 注意要删除掉换行符
.dockerconfigjson: xxxx
# 类型这里也是固定的套路
type: kubernetes.io/dockerconfigjson
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: aliyun
namespace: default
imagePullSecrets:
# 引用上面创建的secret
- name: aliyun-registry
---
apiVersion: v1
kind: Pod
metadata:
name: myapp
namespace: default
spec:
containers:
- name: myapp-container
# 这是一个私有仓库中的测试镜像,需要登录才能拉取下来
image: registry.cn-qingdao.aliyuncs.com/toybox/nginx:1.12-alpine
ports:
- name: http
protocol: TCP
containerPort: 80
# 引用上面创建的用户
serviceAccountName: aliyun
简单来说,这个资源清单文件做了三件事情
- 创建Secret
- 创建ServiceAccount关联Secret
- 创建Pods关联ServiceAccount
应用配置清单,执行创建各类资源
登录阿里云镜像库生成认证配置文件
# docker login [email protected] registry.cn-qingdao.aliyuncs.com生成base64编码
# cat ~/.docker/config.json | base64应用清单创建资源
# kubectl apply -f sa-myapp-demo.yaml pod/myapp created查看相关资源信息
查看Secret
# kubectl get secret aliyun-registry
NAME TYPE DATA AGE
aliyun-registry kubernetes.io/dockerconfigjson 1 11m
查看用户
# kubectl describe sa aliyun
Name: aliyun
Namespace: default
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"v1","imagePullSecrets":[{"name":"aliyun-registry"}],"kind":"ServiceAccount","metadata":{"annotations":{},"name":"aliyun","namespace":"de...
Image pull secrets: aliyun-registry
Mountable secrets: aliyun-token-pftpw
Tokens: aliyun-token-pftpw
Events: <none>
查看Pods资源
# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE
myapp 1/1 Running 0 12m 10.244.2.158 node003