serviceaccount
weight: 44
title: ServiceAccount
date: “2022-05-21T00:00:00+08:00”
type: book
summary: “ServiceAccount 为Pod 中的进程提供身份信息。 ”
注意
当你(真人用户)访问集群(例如使用 kubectl
命令)时,admin
,除非你的系统管理员自定义了集群配置default
使用默认的ServiceAccount 访问API 服务器
当你创建default
kubectl get pods/podename -o yaml
命令spec.serviceAccountName
字段已经被设置为 default
。
你可以在
在automountServiceAccountToken: false
:
apiVersion: v1
kind: ServiceAccount
metadata:
name: build-robot
automountServiceAccountToken: false
在
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
serviceAccountName: build-robot
automountServiceAccountToken: false
...
如果在automountServiceAccountToken
使用多个ServiceAccount
每个default
的
你可以使用以下命令列出
$ kubectl get serviceaccounts
NAME SECRETS AGE
default 1 1d
你可以像这样创建一个
$ cat > /tmp/serviceaccount.yaml <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: build-robot
EOF
$ kubectl create -f /tmp/serviceaccount.yaml
serviceaccount "build-robot" created
如果你看到如下的
$ kubectl get serviceaccounts/build-robot -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: 2015-06-16T00:12:59Z
name: build-robot
namespace: default
resourceVersion: "272500"
selfLink: /api/v1/namespaces/default/serviceaccounts/build-robot
uid: 721ab723-13bc-11e5-aec2-42010af0021e
secrets:
- name: build-robot-token-bvbk5
然后你将看到有一个
你可以使用授权插件来 设置
设置非默认的spec.serviceAccountName
字段中将
在
你不能更新已创建的
你可以清理
$ kubectl delete serviceaccount/build-robot
手动创建ServiceAccount 的API token
假设我们已经有了一个如上文提到的名为 ”build-robot“ 的
$ cat > /tmp/build-robot-secret.yaml <<EOF
apiVersion: v1
kind: Secret
metadata:
name: build-robot-secret
annotations:
kubernetes.io/service-account.name: build-robot
type: kubernetes.io/service-account-token
EOF
$ kubectl create -f /tmp/build-robot-secret.yaml
secret "build-robot-secret" created
现在你可以确认下新创建的
所有已不存在的
$ kubectl describe secrets/build-robot-secret
Name: build-robot-secret
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name=build-robot,kubernetes.io/service-account.uid=870ef2a5-35cf-11e5-8d06-005056b45392
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1220 bytes
token: ...
namespace: 7 bytes
注意
token
被省略了。
为ServiceAccount 添加ImagePullSecret
首先,创建一个
然后,确认已创建。如:
$ kubectl get secrets myregistrykey
NAME TYPE DATA AGE
myregistrykey kubernetes.io/.dockerconfigjson 1 1d
然后,修改
kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "myregistrykey"}]}'
$ kubectl get serviceaccounts default -o yaml > ./sa.yaml
$ cat sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: 2015-08-07T22:02:39Z
name: default
namespace: default
resourceVersion: "243024"
selfLink: /api/v1/namespaces/default/serviceaccounts/default
uid: 052fb0f4-3d50-11e5-b066-42010af0d7b6
secrets:
- name: default-token-uudge
$ vi sa.yaml
[editor session not shown]
[delete line with key "resourceVersion"]
[add lines with "imagePullSecret:"]
$ cat sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: 2015-08-07T22:02:39Z
name: default
namespace: default
selfLink: /api/v1/namespaces/default/serviceaccounts/default
uid: 052fb0f4-3d50-11e5-b066-42010af0d7b6
secrets:
- name: default-token-uudge
imagePullSecrets:
- name: myregistrykey
$ kubectl replace serviceaccount default -f ./sa.yaml
serviceaccounts/default
现在,所有当前
spec:
imagePullSecrets:
- name: myregistrykey