kubernetes的Service Account和secret
来源:互联网 发布:淘宝黑曜石哪家好 编辑:程序博客网 时间:2024/05/17 06:10
Service Account
Service Account概念的引入是基于这样的使用场景:运行在pod里的进程需要调用Kubernetes API以及非Kubernetes API的其它服务。Service Account它并不是给kubernetes集群的用户使用的,而是给pod里面的进程使用的,它为pod提供必要的身份认证。
kubectl get sa --all-namespacesNAMESPACE NAME SECRETS AGEdefault build-robot 1 1ddefault default 1 32ddefault kube-dns 1 31dkube-public default 1 32dkube-system dashboard 1 31dkube-system default 1 32dkube-system heapster 1 30dkube-system kube-dns 1 31d
如果kubernetes开启了ServiceAccount(–admission_control=…,ServiceAccount,… )那么会在每个namespace下面都会创建一个默认的default的sa。
如下,其中最重要的就是secrets,它是每个sa下面都会拥有的一个加密的token,这个在下面的secret会详细介绍。
kubectl get sa default -o yamlapiVersion: v1kind: ServiceAccountmetadata: creationTimestamp: 2017-05-02T06:39:12Z name: default namespace: default resourceVersion: "175" selfLink: /api/v1/namespaces/default/serviceaccounts/default uid: 0de23575-2f02-11e7-98d0-5254c4628ad9secrets:- name: default-token-rsf8r
当用户再该namespace下创建pod的时候都会默认使用这个sa,下面是get pod 截取的部分,可以看到kubernetes会把默认的sa挂载到容器内。
volumes: - name: default-token-rsf8r secret: defaultMode: 420 secretName: default-token-rsf8r
具体看一下secret
kubectl get secret default-token-rsf8r -o yamlapiVersion: v1data: ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVZlpvZDJtSzNsa3JiMzR3NDhhUmtOc0pVVDJjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbAphVXBwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEUzTURVd01qQTNNekF3TUZvWERUSXlNRFV3TVRBM016QXdNRm93WlRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbGFVcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByZFdKbGNtNWxkR1Z6Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBc2E5Zk1HVGd2MGl0YnlZcHoycXkKOThKWktXdWdFL0VPbXRYS2ExT0Y3ekUxSFh1cDFOVG8rNkhvUEFuR3hhVzg4Q0s0TENrbWhNSGFLdUxnT3IvVApOMGphdnc5YWlPeVdYR1hXUUxVN3U0aVhoaDV6a2N4bmZxRW9JOW9JV2dMTzVEL3hBL0tnZzRQZDRMeFdqMkFQCk4rcVdxQ2crU3BrdkpIQUZWL3IyTk1BbEIzNHBrK0t5djVQMDJSQmd6Y2xTeSs5OUxDWnlIQ1VocGl0TFFabHoKdUNmeGtBeUNoWFcxMWNKdVFtaDM4aFVKa0dhUW9OVDVSNmtoRTArenJDVjVkWnNVMVZuR0FydWxaWXpJY3kregpkeUZpYWYyaitITyt5blg4RUNySzR1TUF3Nk4zN1pnNjRHZVRtbk5EWmVDTTlPelk5czBOVzc1dHU5bHJPZTVqCnZRSURBUUFCbzJZd1pEQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFqQWQKQmdOVkhRNEVGZ1FVK2RqMThRUkZyMWhKMVhGb1VyYUVVRnpEeVRBd0h3WURWUjBqQkJnd0ZvQVUrZGoxOFFSRgpyMWhKMVhGb1VyYUVVRnpEeVRBd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFBazQ4ODZBa0Fpa3VBVWRiOWU1CitldkVXVVFFaTIyTmc4REhmVTVSbXppU2ZhVllFQ1FuTlBUREprMmYvTm1Kb3RUVWxRZS9Ec3BkNEk1TFova1IKMGI2b1VoZkdmTkVOOXVObkkvZEgzOFBjUTNDaWtVeHhaeFRYTytaaldxcGNHZTRLNzZtaWd2ZWhQR2Z1VUNzQwp0UmZkZDM2YkhnRjN4MzRCWnc5MStDQ2VKQzBSWmNjVENqcHFHUEZFQlM3akJUVUlRVjNodnZycWJMV0hNeTJuCnFIck94UFI1eFkrRU5SQ0xzVWNSdk9icUhBK1g0c1BTdzBwMWpROXNtK1lWNG1ybW9Gd1RyS09kK2FqTVhzVXkKL3ZRYkRzNld4RWkxZ2ZvR3BxZFN6U1k0MS9IWHovMjZWNlFWazJBajdQd0FYZmszYk1wWHdDamRXRG4xODhNbQpXSHM9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K namespace: ZGVmYXVsdA== token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWldaaGRXeDBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbVJsWm1GMWJIUXRkRzlyWlc0dGNuTm1PSElpTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxjblpwWTJVdFlXTmpiM1Z1ZEM1dVlXMWxJam9pWkdWbVlYVnNkQ0lzSW10MVltVnlibVYwWlhNdWFXOHZjMlZ5ZG1salpXRmpZMjkxYm5RdmMyVnlkbWxqWlMxaFkyTnZkVzUwTG5WcFpDSTZJakJrWlRJek5UYzFMVEptTURJdE1URmxOeTA1T0dRd0xUVXlOVFJqTkRZeU9HRmtPU0lzSW5OMVlpSTZJbk41YzNSbGJUcHpaWEoyYVdObFlXTmpiM1Z1ZERwa1pXWmhkV3gwT21SbFptRjFiSFFpZlEuSmxuamM0Y0xNYkZrRlJVQjIyWGtFN2t4bTJ1dS1aQm9sUTh4VEdDNmdLOTdSZTVOMzBuY2V0SWJsanVOVWFlaDhtMDk2R19nMHE3cmRvWm5XMTV2OFBVXzNyM1hWWlBNc1lxbGRpZlNJbWtReXFqeEphVlBka3Izam5GWVBkVWNaTmk3MFF3cWtEdm5sMXB4SFRNZTZkTVNPTlExbUVoMHZSbHBhRTdjVWtTVlg5blRzaFVJVTVXWE9wRUxwdTVjVjBHV3ZGeDRDSzR6Umt3clNMdlV5X2d5UGZwLWdYVFZQWU80NkJKSWZtaVhlZGhVaW9nempPN285eGxDbUxQVkhyNkFIZGViNExiTVA1dkJ2MlBSZ2RrMW9keTR0VEdxLVRGU3M2VkNoMTZ4dk5IdTRtRVN5TjZmcXVObzJwYUFOelY4b251aTJuaU4yNTU1TzN4SFdRkind: Secretmetadata: annotations: kubernetes.io/service-account.name: default kubernetes.io/service-account.uid: 0de23575-2f02-11e7-98d0-5254c4628ad9 creationTimestamp: 2017-05-02T06:42:07Z name: default-token-rsf8r namespace: default resourceVersion: "12551" selfLink: /api/v1/namespaces/default/secrets/default-token-rsf8r uid: 75c0a236-2f02-11e7-98d0-5254c4628ad9type: kubernetes.io/service-account-token
上面的内容是经过base64加密过后的,我们直接进入容器内:
~ # ls -l /var/run/secrets/kubernetes.io/serviceaccount/total 0lrwxrwxrwx 1 root root 13 May 4 23:57 ca.crt -> ..data/ca.crtlrwxrwxrwx 1 root root 16 May 4 23:57 namespace -> ..data/namespacelrwxrwxrwx 1 root root 12 May 4 23:57 token -> ..data/token
可以看到已将ca.crt 、namespace和token放到容器内了,那么这个容器就可以通过https的请求访问apiserver了。
Secret
Kubernetes提供了Secret来处理敏感信息,目前Secret的类型有3种:
Opaque(default): 任意字符串
kubernetes.io/service-account-token: 作用于ServiceAccount,就是上面说的。
kubernetes.io/dockercfg: 作用于Docker registry,用户下载docker镜像认证使用。
Opaque Secret
Opaque Secret就是字符串
apiVersion: v1kind: Secretmetadata: name: mysecrettype: Opaquedata: username: YWRtaW4= password: MWYyZDFlMmU2N2Rm
在使用的时候可以选择已volume方式或者是已环境变量的方式放到容器内使用。
{ "apiVersion": "v1", "kind": "Pod", "metadata": { "name": "mypod", "namespace": "default" }, "spec": { "containers": [{ "name": "mypod", "image": "busybox", "command": ["sleep","3600"], "imagePullPolicy": "IfNotPresent", "volumeMounts": [{ "name": "foo", "mountPath": "/etc/foo", "readOnly": true }] }], "volumes": [{ "name": "foo", "secret": { "secretName": "mysecret" } }] }}
这样就可以通过文件的方式挂载到容器内,在/etc/foo目录下回生成这个文件。
如果是环境变量当然也是ok的
apiVersion: v1kind: Podmetadata: name: secret-env-podspec: containers: - name: mycontainer image: busybox imagePullPolicy: IfNotPresent command: - sleep - "3600" env: - name: SECRET_USERNAME valueFrom: secretKeyRef: name: mysecret key: username - name: SECRET_PASSWORD valueFrom: secretKeyRef: name: mysecret key: password
进入容器通过env命令,你将可以看到这两个环境变量被注入到容器内。
imagePullSecrets
当在需要安全验证的环境中拉取镜像的时候,需要通过用户名和密码。
apiVersion: v1kind: Secretmetadata: name: myregistrykey namespace: awesomeappsdata: .dockerconfigjson: UmVhbGx5IHJlYWxseSByZWVlZWVlZWVlZWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGx5eXl5eXl5eXl5eXl5eXl5eXl5eSBsbGxsbGxsbGxsbGxsbG9vb29vb29vb29vb29vb29vb29vb29vb29vb25ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubmdnZ2dnZ2dnZ2dnZ2dnZ2dnZ2cgYXV0aCBrZXlzCg==type: kubernetes.io/dockerconfigjson
或者直接通过命令创建
kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
接下来拉取镜像的时候,就可以使用了
apiVersion: v1kind: Podmetadata: name: foo namespace: awesomeappsspec: containers: - name: foo image: janedoe/awesomeapp:v1 imagePullSecrets: - name: myregistrykey
其实本质上还是kubelet把这个认证放到了docker的目录下面,如下:
cat ~/.docker/config.json { "auths": { "10.39.0.118": { "auth": "Y2hlbm1vOmNtMTM4MTE2NjY3ODY=" }, "10.39.0.12:5000": { "auth": "dXNlcjAxOjEyMzQ1YQ==" }, "http://10.39.0.12:5000": { "auth": "dXNlcjAxOjEyMzQ1YQ==" } }}
- kubernetes的Service Account和secret
- kubernetes资源对象--secret和Service Account
- 在Kubernetes Pod中使用Service Account访问API Server
- 利用PowerShell更改Search Service Account和删除旧的Search Service topology
- 一个kubernetes无法启动apiserver:'FailedCreate' No API token found for service account "default"
- kubernetes service
- Kubernetes中Secret使用详解
- Kubernetes 详解-Replica Sets 和Service
- Kubernetes集群中Service的滚动更新
- Kubernetes的service mesh – 第五部分:DogFood环境,Ingress和Edge路由
- Mesos和Kubernetes的不同
- Private key 和 Secret key 的区别
- Private key 和 Secret key 的区别
- Kubernetes service探究
- Kubernetes DNS Service技术研究
- kubernetes资源对象--Service
- Kubernetes DNS Service技术研究
- kubernetes的service的网络类型ingress的搭建
- 设计模式
- Ubuntu 配置jdk1.7
- /usr/bin/env: "python\r": 没有那个文件或目录
- rocketmq中零拷贝深入
- java学习笔记3封装和构造函数
- kubernetes的Service Account和secret
- Java类加载机制
- 记事本在读取一个文本时如何判断是该用啥字符集来读取解析文本字符
- 一句话说清楚什么是闭包函数
- Android ViewDragHelper完全解析 自定义ViewGroup神器
- git将本地文件上传到github
- caffe基础(8):draw_net.py绘制网络结构
- book-cd : Malware Analyst's Cookbook
- 安装android studio报错,及解决方式