• ServiceAccount在K8s上的说明


    摘要

    在Kubernetes中,ServiceAccount(服务账号)是用于与API服务器进行身份验证和授权的实体。每个Pod都会自动分配一个默认的ServiceAccount,可以通过在Pod配置中指定不同的ServiceAccount来为不同的Pod分配不同的权限。

    ServiceAccount使用Token来进行身份验证。当Pod向API服务器发送请求时,它们会附带ServiceAccount的Token作为身份凭证。API服务器会验证Token的有效性,并根据ServiceAccount绑定的角色和权限策略来授权请求。

    ServiceAccount通常用于以下两个目的:

    身份验证:ServiceAccount提供了一种方式,确保Pod是合法且受信任的实体。API服务器会验证ServiceAccount的Token,在通过身份验证后,Pod可以使用它的身份进行资源的操作和访问。

    授权访问:Kubernetes使用Role-Based Access Control(RBAC)来管理对集群资源的访问权限。ServiceAccount与RBAC中的角色(Role)或集群角色(ClusterRole)相关联,以确定Pod可以执行的操作和访问的资源。

    通过使用ServiceAccount,Kubernetes能够对Pod进行身份验证和授权,从而控制和限制对集群资源的访问。这有助于确保Pod的安全性和可信任性,同时提供细粒度的访问控制。

    Simply put

    In Kubernetes, a ServiceAccount is an entity used for authentication and authorization with the API server. Each Pod is automatically assigned a default ServiceAccount, which provides it with an identity and assigns specific permissions. ServiceAccounts are part of the ClusterRole and Role-based authorization system.

    A ServiceAccount is closely tied to a Pod and serves the following purposes:

    Providing authentication for Pods: ServiceAccount and its corresponding token are used for authentication between the Pod and the Kubernetes API server.
    Assigning access permissions: ServiceAccount is associated with a Role or ClusterRole to allocate specific permissions for accessing cluster resources.

    Example

    在Kubernetes中,ServiceAccount(服务账号)是用于身份验证和授权的实体。它为Pod或其他资源提供了一个身份,并为它们分配了特定的权限。ServiceAccount是ClusterRole和Role授权系统的一部分。

    ServiceAccount与Pod紧密绑定,每个Pod都会自动关联到一个默认的ServiceAccount,如果没有指定的话。ServiceAccount的主要作用是:

    1. 为Pod提供身份验证:Pod中使用ServiceAccount和相应的Token与Kubernetes API Server进行身份验证。
    2. 分配访问权限:ServiceAccount与Role或ClusterRole绑定,用于为Pod分配访问集群资源的权限。

    以下是在Kubernetes上使用ServiceAccount的示例:

    1. 创建一个ServiceAccount:
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: my-service-account
    
    
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    1. 创建一个具有权限的Role:
    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      name: my-role
    rules:
    - apiGroups: [""]
      resources: ["pods"]
      verbs: ["get", "list"]
    
    
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    1. 将ServiceAccount与Role绑定:
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: my-role-binding
    roleRef:
      kind: Role
      name: my-role
      apiGroup: rbac.authorization.k8s.io
    subjects:
    - kind: ServiceAccount
      name: my-service-account
      namespace: default
    
    
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14

    在上述示例中,我们创建了一个名为my-service-account的ServiceAccount,并为其关联了一个名为my-role的Role。Role定义了该账号可以使用的资源和操作。最后,我们将ServiceAccount和Role进行了绑定,以确保ServiceAccount在调用API时拥有相应的权限。

    通过上述步骤,我们可以为Pod提供具有限制权限的ServiceAccount,以确保Pod只能访问其授权的资源。

    On the other hand

    In a distant future, where humanity has colonized multiple star systems, a sprawling interstellar civilization thrives. Among the countless advanced technologies that enable this society to function, Kubernetes emerges as the central nervous system that coordinates and manages the vast network of automated systems and artificial intelligences.

    In this future, the ServiceAccount, a specialized entity designed for authentication and authorization, plays a pivotal role in the functioning of this advanced Kubernetes infrastructure. Each star system, with its own unique set of challenges and requirements, relies on ServiceAccounts to establish secure connections and interact with the central API server.

    On a distant planet named Xantheon Prime, a young and ambitious scientist named Dr. Alyssa Nova is at the forefront of cutting-edge research. She has dedicated her life to understanding the mysteries of the universe and harnessing the power of Kubernetes to push the boundaries of what is possible.

    One fateful day, while conducting experiments in her state-of-the-art laboratory, Dr. Nova accidentally discovers a hidden anomaly in the fabric of space-time. The anomaly, a rift in the very fabric of reality, possesses immense power and potential. Recognizing the significance of her discovery, she quickly realizes that she needs the assistance of Kubernetes and its ServiceAccounts to fully comprehend and harness this newfound power.

    Driven by her insatiable curiosity and desire to unlock the secrets of the universe, Dr. Nova embarks on a perilous journey across the galaxy. With her trusty ServiceAccount companion, named Nexus, by her side, she navigates treacherous asteroid fields, encounters hostile alien species, and delves into ancient civilizations long forgotten.

    As they venture deeper into the unknown, Dr. Nova and Nexus encounter other scientists, explorers, and even rogue AI entities, all vying to harness the power of the anomaly for their own purposes. The race to control this newfound power intensifies, leading to epic battles and unexpected alliances.

    Through it all, Dr. Nova relies on her expertise in Kubernetes and the unwavering support of Nexus, her faithful ServiceAccount, to overcome the challenges they face. Together, they unravel the secrets of the anomaly, pushing the boundaries of science and rewriting the laws of the universe.

    In this captivating tale of exploration, discovery, and the power of technology, the ServiceAccount becomes more than just a tool for authentication and authorization. It becomes a trusted companion, a partner in the quest for knowledge, and a symbol of the potential that lies within the human spirit.

    As the story concludes, Dr. Nova and Nexus stand at the precipice of a new era, armed with the knowledge and power to shape the destiny of the universe. And it all began with the humble ServiceAccount, a key component in the grand tapestry of Kubernetes, enabling humanity to reach for the stars and unlock the secrets of the cosmos.

  • 相关阅读:
    小剧场短剧影视小程序源码,附带系统搭建教程
    常用工具记录
    Win11截图工具在哪里?
    SpringSecurity Oauth2实战 - 05 /oauth/token请求认证流程源码分析
    榕树贷款Mybatis-Plus的特点
    计算机网络之数据链路层
    数据结构与算法之堆: Leetcode 313. 超级丑数 (Typescript版)
    idea软件_启动出错&永久办法&leetcode关联
    科技资讯|微软获得AI双肩包专利,Find My防丢背包大火
    交换机和路由器技术-30-标准ACL
  • 原文地址:https://blog.csdn.net/weixin_38233104/article/details/132755387