ServiceAccount实验-CFANZ编程社区

自定义sa

[root@k8smaster4 ~]# kubectl create sa sa-test

自定义Pod

[root@k8smaster4 sa]# cat sa-demo.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: sa-demo
  labels:
    environment: test
    app: nginx
spec:
  serviceAccount: sa-test
  containers:
  - name: sa-nginx-demo
    image: docker.io/library/nginx
    imagePullPolicy: IfNotPresent
    ports:
    - name: nginx
      containerPort: 80

查看Pod引用的sa

[root@k8smaster4 sa]# kubectl describe pod sa-demo
Name:             sa-demo
Namespace:        default
Priority:         0
Service Account:  sa-test
Node:             k8snode4/192.168.0.221
Start Time:       Wed, 14 Jun 2023 21:26:30 +0800
Labels:           app=nginx
                  environment=test
Annotations:      cni.projectcalico.org/podIP: 10.244.192.67/32
                  cni.projectcalico.org/podIPs: 10.244.192.67/32
Status:           Running
IP:               10.244.192.67
IPs:
  IP:  10.244.192.67

查看当前sa权限(模拟请求kube-system空间资源)

[root@k8smaster4 sa]# kubectl exec -it sa-demo -c sa-nginx-demo -- /bin/bash
root@sa-demo:/# cd /var/run/secrets/kubernetes.io/serviceaccount/
root@sa-demo:/var/run/secrets/kubernetes.io/serviceaccount# ls
ca.crt	namespace  token
root@sa-demo:/var/run/secrets/kubernetes.io/serviceaccount# curl --cacert ./ca.crt -H "Authorization: Bearer $(cat ./token)" https://kubernetes/api/v1/namespaces/kube-system
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "namespaces \"kube-system\" is forbidden: User \"system:serviceaccount:default:sa-test\" cannot get resource \"namespaces\" in API group \"\" in the namespace \"kube-system\"",
  "reason": "Forbidden",
  "details": {
    "name": "kube-system",
    "kind": "namespaces"
  },
  "code": 403
}root@sa-demo:/var/run/secrets/kubernetes.io/serviceaccount#

默认请求结果

新建SA: sa-test， 未授权，请求不通过

手动绑定当前sa到 cluster-admin 集群角色

[root@k8smaster4 sa]# kubectl create clusterrolebinding sa-test-admin --clusterrole=cluster-admin --serviceaccount=default:sa-test
clusterrolebinding.rbac.authorization.k8s.io/sa-test-admin created

授权后，访问返回结果

root@sa-demo:/var/run/secrets/kubernetes.io/serviceaccount# curl --cacert ./ca.crt -H "Authorization: Bearer $(cat ./token)" https://kubernetes/api/v1/namespaces/kube-system
{
  "kind": "Namespace",
  "apiVersion": "v1",
  "metadata": {
    "name": "kube-system",
    "uid": "21a3ec46-606c-484c-ad98-d502085d6121",
    "resourceVersion": "13",
    "creationTimestamp": "2022-12-28T09:11:55Z",
    "labels": {
      "kubernetes.io/metadata.name": "kube-system"
    },
    "managedFields": [
      {
        "manager": "kube-apiserver",
        "operation": "Update",
        "apiVersion": "v1",
        "time": "2022-12-28T09:11:55Z",
        "fieldsType": "FieldsV1",
        "fieldsV1": {
          "f:metadata": {
            "f:labels": {
              ".": {},
              "f:kubernetes.io/metadata.name": {}
            }
          }
        }
      }
    ]
  },
  "spec": {
    "finalizers": [
      "kubernetes"
    ]
  },
  "status": {
    "phase": "Active"
  }
}root@sa-demo:/var/run/secrets/kubernetes.io/serviceaccount#