kube-system命名空间下的serviceAccount权限
下面是摘录自《kubernetes权威指南 第5版》中的一段信息。关于kube-system命名空间下,默认的serviceAccount
该默认的ServiceAccount具有哪些操作权限呢?
然而我们查询了中所有的角色绑定(集群级别的和非集群级别的)都没有找到和kube-system的defualt相关的role和rolebinding,难道是描述有误?
controllerManager、kube-apiserver和etcd组件在和api-server交互的时候,是否也使用了ServiceAccount?如果使用了,会给它们绑定什么样的角色呢?
带着上面的两个问题,我们首先查看下,默认情况下kube-system命名空间下的所有serviceAccount,发现有很多,除了default外暂时不做探讨
$ kubectl get sa -n kube-system
NAME SECRETS AGE
attachdetach-controller 1 44d
bootstrap-signer 1 44d
certificate-controller 1 44d
clusterrole-aggregation-controller 1 44d
coredns 1 44d
cronjob-controller 1 44d
daemon-set-controller 1 44d
default 1 44d
deployment-controller 1 44d
disruption-controller 1 44d
endpoint-controller 1 44d
endpointslice-controller 1 44d
endpointslicemirroring-controller 1 44d
ephemeral-volume-controller 1 44d
expand-controller 1 44d
generic-garbage-collector 1 44d
horizontal-pod-autoscaler 1 44d
job-controller 1 44d
kube-proxy 1 44d
namespace-controller 1 44d
node-controller 1 44d
persistent-volume-binder 1 44d
pod-garbage-collector 1 44d
pv-protection-controller 1 44d
pvc-protection-controller 1 44d
replicaset-controller 1 44d
replication-controller 1 44d
resourcequota-controller 1 44d
root-ca-cert-publisher 1 44d
service-account-controller 1 44d
service-controller 1 44d
statefulset-controller 1 44d
token-cleaner 1 44d
ttl-after-finished-controller 1 44d
ttl-controller 1 44d如果确实有某个组件使用了该命名空间下的default ServciceAccount,它默认会有哪些操作权限呢?
查询后,我们得知ServiceAccount有一个组的概念,称为system:serviceaccounts,并且如果一个 Pod 没有声明 serviceAccountName,Kubernetes 会自动在它的 Namespace 下创建一个名叫 default 的默认 ServiceAccount,然后分配给这个 Pod,但在这种情况下,这个默认 ServiceAccount 并没有关联任何 Role。这也解释了为什么我们在kube-system命名空间下,查看default ServiceAccount,却发现没有找到role和rolebinding的原因了。
尽管这个defautl serviceAccount未绑定任何的角色,但是其归属于组system:serviceaccounts(所有ServiceAccount都归属该组),该组被绑定了service-account-issuer-discovery角色,这样相当于defautl serviceAccount也具有了这些权限,虽然很小,只能操作非资源类型。即
角色绑定:system:service-account-issuer-discovery
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: "2022-09-26T09:31:13Z"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:service-account-issuer-discovery
resourceVersion: "146"
uid: d6ce5a27-41ae-4e26-a860-6c8a1008b41e
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:service-account-issuer-discovery
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:serviceaccounts角色内容:service-account-issuer-discovery
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: "2022-09-26T09:31:13Z"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:service-account-issuer-discovery
resourceVersion: "101"
uid: a301c134-7d65-45d6-8890-1c13311a3fc9
rules:
- nonResourceURLs:
- /.well-known/openid-configuration
- /openid/v1/jwks
verbs:
- get从上面的分析来看,默认情况下Kube-sytem命名空间下的default ServiceAccount几乎没有任何操作权限,想要操作集群中的资源,需要给它绑定特定的角色。
那么诸如controllerManager、kube-apiserver和etcd组件在和api-server交互的时候,是否也使用了ServiceAccount,以及使用了什么样的ServiceAccount?
通过查看API-Server等组件的定义YAML文件,发现并没有serviceAccountName字段,也就是没有绑定ServiceAccout,这不是和前面说的”如果一个 Pod 没有声明 serviceAccountName,Kubernetes 会自动在它的 Namespace 下创建一个名叫 default 的默认 ServiceAccount,然后分配给这个 Pod“相矛盾吗?
实际上问题在于,API-Server等组件比较的特殊,它属于静态POD,而静态 Pod 的 spec 不能引用其他的 API 对象(例如: ServiceAccount、 ConfigMap、 Secret 等),所以上面的说法没问题,只是缺少限定。
既然没有使用到ServiceAccount,那它们是如何通过认证和鉴权的呢?
证书
通过查看/etc/kubernetes下的文件,我们能够一些config文件,其中存储了各组件访问api-server时,默认所使用到的证书,它们就是使用这些证书文件,来通过认证检测的;
controller-manager.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1Ea3lOakE1TXpFd01sb1hEVE15TURreU16QTVNekV3TWxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTGVLCmxmeEVvTFFJZ1JxSkd1VzhYMUJibG5HQXphM3d3V2EzdkFreGhpemZaV0dvTyt4M05KemlnQXZTZEpONDdwcEQKZm10bXdrTWhKOUNIRGY0TTRRd1FmdzFWUmRIOVlXYmZzQVlpN0xsOXZOM04yVDlyZVFBelZpMnRaQlU2aTVjeQpkbnhKQXlFTnRocmoxdHN6MGh5OVVXTm1URUpRZVZ6aW55T0t1UFVEcGlzQjRscy9jbEdKT1JsVG5LY3RFU0FiCkk5RGpFbno4a3diUDVIMXdsWUxMUEc5KzBLMGlYSmRzcUR1SVlKQjhaem9WRHQ0SHI3SVovdm5KZkhFVU8yNVYKbHhUaHF2WDlRRklRM3dNSVk1LzR0aWVFdVFMbjV4UDFyOGtpQzdENkJhVUVqMTZ5eThlaXkwTmErVnVBcHlmdApHUE85MldNbStZQU16Y3k1NGcwQ0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZBVVVHQlF0alJtQzZTRnBmN256VnNyaVdLeFdNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSnRPOWFMeVRrQ0dKVWhkcUFmaQp3RnNleXloUk8zVzJjVlF3OGZqRnU1blRvZnpDV2JlSHYwY20xUUxXb3hDTmJwY3JNUHVBUWNteEV5cVpHZld6CndQSm5aVGRVa1NTZEtvd2V5Y2ZaTU1FQnZwYkgyTkVNbGVEeDluN0FzZ3hoZTQ2ZUxoZlVwZ1YwOUMyRThFMVoKNS9tTVIrb3lraXQ3N0UyTGRjREN4cnBxUEZ6LzdtMVA4WXJrR1g1YVVYUDV0aFZ3UmlaaUZEV0Zuc1YrTWJGdAo1VDJnWmgrMm03ek14aTUvd2ZJYkZWQlFsOGZwbERtWE05c1FRUWE0RkZwTERkWUpXTGo5OFN5dXFGaGV1ZXdTCkd2WkdKQXBxSjV1VmVmajJ5STRYa014Rktqak81cjk1YXh3Ti9uTnZmbi9wOFYwc0YwK25PbkdoZkV5ZjVYNmIKUXZzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://192.168.0.41:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: system:kube-controller-manager
name: system:kube-controller-manager@kubernetes
current-context: system:kube-controller-manager@kubernetes
kind: Config
preferences: {}
users:
- name: system:kube-controller-manager
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGakNDQWY2Z0F3SUJBZ0lJRFA0MTdrdWpZNFF3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TWpBNU1qWXdPVE14TURKYUZ3MHlNekE1TWpZd09UTXhNRFZhTUNreApKekFsQmdOVkJBTVRIbk41YzNSbGJUcHJkV0psTFdOdmJuUnliMnhzWlhJdGJXRnVZV2RsY2pDQ0FTSXdEUVlKCktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUs1aHhsZWJCRll2d0Q4VjNXaDArTTdVSmlYSWQ0RXYKZzZkZjBWN1hrbWo2V3o0V2ZlcS9sSjY0WkV4Rk9zdm9nUjRlaWxBa2pHelAzRytWK25WNTRvME9QTmtDaGFuTApVa0x0Tk80U1BqYnZHUmlCK1lVQ3NCTzhlM2xiWFpNVnU0TCsrT0F3OExUS0lZZ2MreU9ubjdkSElWVlYrWDVJClFkUTgwd1V3S2JtSGhuemRkVFlkdS9YQ2o4Z2JiZTh0THpMSmhGaWJwOTBKUlltZ1ZjNTA3ZEpwTkloSUZWcisKVEpzbzRZclNxcGk4bysyK25NRjVKbG5YRHJBQ2RKNEN4WmxoWUxQeUpDOFpsUHYwajBleEhCOC9XbHJKZHQrWgpJZXEzR2FEbmE3cHp0MGtEeUc3OUVpVDB6Q0VpSGJkOWo3amZ1TGlXckM3cG1QZDc2cDd0dUpzQ0F3RUFBYU5XCk1GUXdEZ1lEVlIwUEFRSC9CQVFEQWdXZ01CTUdBMVVkSlFRTU1Bb0dDQ3NHQVFVRkJ3TUNNQXdHQTFVZEV3RUIKL3dRQ01BQXdId1lEVlIwakJCZ3dGb0FVQlJRWUZDMk5HWUxwSVdsL3VmTld5dUpZckZZd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBRkdlc1gwTXZFSXJUUnVuTTRSTzhhcThiTFdYSHFZZmlwN01CN3dHSTN1QTdKQ1g3RjBmCmR6TCtrV2llMFEwNzY1YkVFaGJxbTdFTENTRTZtdTFXZktoeWczNzJSeHc1TGRrYXZqU2R2ajRZRzVDWUhuS0wKUmgyeG1iZ0g1ZjFONm96d1ZTRHV4MTlBT3BjblZCTTRZVm40M1JVWDlWMXI5OElOVFNTc29EbEdQa05MYXI2UwpaQm1BM1VUZVdDV2l5ZDE4R1Z1U21CUlhVeTA5VlFsWHRDTUJjWk9MdktpVkFRaVVmNjBydlJWK2hvY21OZ3c1CmFwYkRFdUNuaGNBVXBZc2oybGs3cnliRStZYlR6YzFwbTlNeStXRFROb3FrWXNEdUV3bHFDcjliVWhtNjg2MHEKS01KaGRvQ0hyL0ZHZzNnYWpIWG42bVgyMDdRWDlXUGsyWTA9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBcm1IR1Y1c0VWaS9BUHhYZGFIVDR6dFFtSmNoM2dTK0RwMS9SWHRlU2FQcGJQaFo5CjZyK1VucmhrVEVVNnkraUJIaDZLVUNTTWJNL2NiNVg2ZFhuaWpRNDgyUUtGcWN0U1F1MDA3aEkrTnU4WkdJSDUKaFFLd0U3eDdlVnRka3hXN2d2NzQ0RER3dE1vaGlCejdJNmVmdDBjaFZWWDVma2hCMUR6VEJUQXB1WWVHZk4xMQpOaDI3OWNLUHlCdHQ3eTB2TXNtRVdKdW4zUWxGaWFCVnpuVHQwbWswaUVnVld2NU1teWpoaXRLcW1MeWo3YjZjCndYa21XZGNPc0FKMG5nTEZtV0Zncy9Ja0x4bVUrL1NQUjdFY0h6OWFXc2wyMzVraDZyY1pvT2RydW5PM1NRUEkKYnYwU0pQVE1JU0lkdDMyUHVOKzR1SmFzTHVtWTkzdnFudTI0bXdJREFRQUJBb0lCQVFDWFZpdDM1QVNEZDdWMApDbG00U2F1VWMvRVhZVDYxVXJNREV0ajFZa2loNm9ROUFmQU5SbTZJd0tYcXV6b250SVE1eTI5bDFoSTRiTHgxCjZzY09KTlZFYlZMSlVyTUZoSHJEc25ENUc4UDZrTTVLd3FIMW1UdU9KVWxUTE1PczNuTjVZQ1pGQ3JRYmNrQmYKakNjMzdrVmlIYzBEN2pVMEx5bFNNK2MrM1dtWXBHSkI0Sy9MTUlaWEdhTEZHMnJLQVlGRnZKRnNYN3hwOUUvagpmUC94dFNua2RveGNnMTM3aWNtZ2tXTmhkcWI0YTVjQnFiQTRuelg1V25QRTJoNTI3cGVUNDJXWWI2VE94ekhYCmYwTkVuVGRlQThNbGVTanYzTVlYUjBpRHFxN2pSOEZJTDVDSS9EdHdvQkFCbVNaUFArY0ZDSnpnQmJWZWFwb0oKSWxZVFd2QWhBb0dCQU52UWx0ME1DOWpUQ1BjM09QUjhiRk1oR0hjQ2MyS1NJcjd4c0d1QVV3VWxSSHZMcVMzMwpFb29OL1dxMnkzV2dwMHBsY1RzenArTTMwdHVvcFBLRmNWeUIwQU5PMzg1WVV6b040WnIvS2NuVmtOYkNGQXprClRIM1hlZWZUdEc3bFY3ZGw3dloxQVVhR3k1c2pTR1VrdmFIT04veHB0VFcySXhIVXVLNUljem92QW9HQkFNc1cKanYvUWV1cUplWEJpOGtoUENDMVRMcUpqV1YwL2x6V2hTNWcyWVUyVTlrUno0cTJRN3FLbjFwZmFWcU9TZ3NmMgp2SFV2bjJXeXV6U3Jsd2pIbmU0WVZDQlRZdE54U1N1SDk4cW9qMmZGS0ZlcE40MzhOYnNld1daQWpnOExNeUhjCmFuK1dYUkhMT2pQUGpvbFBqRzF2Yjl3K2wranNVMmhpMGNsYkxFbFZBb0dCQUo2UUlqT0VIQXVsZDhNMUQ1MjEKSDBMOERiVFRqTDVmSWpkUkN1MFJIVklKNXhQUi90RU1lRkFqOVZrRVVWSWh1R3QvTDZZQUJpeHV1V2tBaHpQMgp0S2FCY2JiaEw2cWVwaktyanNHTExPN09Zdk8zL2xTcVhzOHNIMkR1b3lxWHY2V3BIeTZqaW04QWoyRHltNmR5ClVHU202RlhwUHZGbTJIZGxWbTlLRGV5N0FvR0FFMjB6L3BwMXQ0dXc5eVF2NHVUVWRtbDNrNGNIWEZraDRMcHUKSGNCTjdIcnNWNzN5R0FJK0lZY0dpdjRTdlpEZE83MkpaM2hIdWhXdnZLa1JTSUMzeGJmRURGZU5vNFk1cHBWYQpDYU80SEFnTEJOK2w5Y29EWmNQYVlpcVlyQzI1RldzZE1OazBTK2h4eDlUNTRINmdnek5lc3VXMTZFejY2WWhTCll2MTZyZ1VDZ1lFQTBGT1AvUTdYRHljc0wwdVRUbjIwOXMrOEYreGFCdHhNcnFPUzUySXd2ck5hZExTdnNaK1IKOFpQRFIwL0t3TG13RWQ4bDRRQ1dFczE3YUkzNHF0eFpDbVNvdERaelN2U3pMMmUyR3hYYU5hdWdsRVlHUmVaWgphZUZSNUVYaUZUY29FcVY1ajJCK0d5cXJncDhUcStCNmJIZVBSY2VRWVJBOTd6SzJzWndhd3JRPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=对应Subject: CN=system:kube-controller-manager
kubelet.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1Ea3lOakE1TXpFd01sb1hEVE15TURreU16QTVNekV3TWxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTGVLCmxmeEVvTFFJZ1JxSkd1VzhYMUJibG5HQXphM3d3V2EzdkFreGhpemZaV0dvTyt4M05KemlnQXZTZEpONDdwcEQKZm10bXdrTWhKOUNIRGY0TTRRd1FmdzFWUmRIOVlXYmZzQVlpN0xsOXZOM04yVDlyZVFBelZpMnRaQlU2aTVjeQpkbnhKQXlFTnRocmoxdHN6MGh5OVVXTm1URUpRZVZ6aW55T0t1UFVEcGlzQjRscy9jbEdKT1JsVG5LY3RFU0FiCkk5RGpFbno4a3diUDVIMXdsWUxMUEc5KzBLMGlYSmRzcUR1SVlKQjhaem9WRHQ0SHI3SVovdm5KZkhFVU8yNVYKbHhUaHF2WDlRRklRM3dNSVk1LzR0aWVFdVFMbjV4UDFyOGtpQzdENkJhVUVqMTZ5eThlaXkwTmErVnVBcHlmdApHUE85MldNbStZQU16Y3k1NGcwQ0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZBVVVHQlF0alJtQzZTRnBmN256VnNyaVdLeFdNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSnRPOWFMeVRrQ0dKVWhkcUFmaQp3RnNleXloUk8zVzJjVlF3OGZqRnU1blRvZnpDV2JlSHYwY20xUUxXb3hDTmJwY3JNUHVBUWNteEV5cVpHZld6CndQSm5aVGRVa1NTZEtvd2V5Y2ZaTU1FQnZwYkgyTkVNbGVEeDluN0FzZ3hoZTQ2ZUxoZlVwZ1YwOUMyRThFMVoKNS9tTVIrb3lraXQ3N0UyTGRjREN4cnBxUEZ6LzdtMVA4WXJrR1g1YVVYUDV0aFZ3UmlaaUZEV0Zuc1YrTWJGdAo1VDJnWmgrMm03ek14aTUvd2ZJYkZWQlFsOGZwbERtWE05c1FRUWE0RkZwTERkWUpXTGo5OFN5dXFGaGV1ZXdTCkd2WkdKQXBxSjV1VmVmajJ5STRYa014Rktqak81cjk1YXh3Ti9uTnZmbi9wOFYwc0YwK25PbkdoZkV5ZjVYNmIKUXZzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://192.168.0.41:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: system:node:hecs-24836
name: system:node:hecs-24836@kubernetes
current-context: system:node:hecs-24836@kubernetes
kind: Config
preferences: {}
users:
- name: system:node:hecs-24836
user:
client-certificate: /var/lib/kubelet/pki/kubelet-client-current.pem
client-key: /var/lib/kubelet/pki/kubelet-client-current.pem对应 Subject: O=system:nodes, CN=system:node:hecs-24836
scheduler.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1Ea3lOakE1TXpFd01sb1hEVE15TURreU16QTVNekV3TWxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTGVLCmxmeEVvTFFJZ1JxSkd1VzhYMUJibG5HQXphM3d3V2EzdkFreGhpemZaV0dvTyt4M05KemlnQXZTZEpONDdwcEQKZm10bXdrTWhKOUNIRGY0TTRRd1FmdzFWUmRIOVlXYmZzQVlpN0xsOXZOM04yVDlyZVFBelZpMnRaQlU2aTVjeQpkbnhKQXlFTnRocmoxdHN6MGh5OVVXTm1URUpRZVZ6aW55T0t1UFVEcGlzQjRscy9jbEdKT1JsVG5LY3RFU0FiCkk5RGpFbno4a3diUDVIMXdsWUxMUEc5KzBLMGlYSmRzcUR1SVlKQjhaem9WRHQ0SHI3SVovdm5KZkhFVU8yNVYKbHhUaHF2WDlRRklRM3dNSVk1LzR0aWVFdVFMbjV4UDFyOGtpQzdENkJhVUVqMTZ5eThlaXkwTmErVnVBcHlmdApHUE85MldNbStZQU16Y3k1NGcwQ0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZBVVVHQlF0alJtQzZTRnBmN256VnNyaVdLeFdNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSnRPOWFMeVRrQ0dKVWhkcUFmaQp3RnNleXloUk8zVzJjVlF3OGZqRnU1blRvZnpDV2JlSHYwY20xUUxXb3hDTmJwY3JNUHVBUWNteEV5cVpHZld6CndQSm5aVGRVa1NTZEtvd2V5Y2ZaTU1FQnZwYkgyTkVNbGVEeDluN0FzZ3hoZTQ2ZUxoZlVwZ1YwOUMyRThFMVoKNS9tTVIrb3lraXQ3N0UyTGRjREN4cnBxUEZ6LzdtMVA4WXJrR1g1YVVYUDV0aFZ3UmlaaUZEV0Zuc1YrTWJGdAo1VDJnWmgrMm03ek14aTUvd2ZJYkZWQlFsOGZwbERtWE05c1FRUWE0RkZwTERkWUpXTGo5OFN5dXFGaGV1ZXdTCkd2WkdKQXBxSjV1VmVmajJ5STRYa014Rktqak81cjk1YXh3Ti9uTnZmbi9wOFYwc0YwK25PbkdoZkV5ZjVYNmIKUXZzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://192.168.0.41:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: system:kube-scheduler
name: system:kube-scheduler@kubernetes
current-context: system:kube-scheduler@kubernetes
kind: Config
preferences: {}
users:
- name: system:kube-scheduler
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lJWWxOclN6R2tjU3N3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TWpBNU1qWXdPVE14TURKYUZ3MHlNekE1TWpZd09UTXhNRFZhTUNBeApIakFjQmdOVkJBTVRGWE41YzNSbGJUcHJkV0psTFhOamFHVmtkV3hsY2pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCCkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUoza1VzU050ZVZTdW9MWHd3M0NGUEdFa2N4NVBPc011R0k4WHBZazZMZmcKTzRBVGxZaHExOFdNOG1pR0tvb3Nlekt3MTlrNXZzNzlXcDhDY3ZHYkgrME1iM1ZsWDZEa1dYc2FPWlRsdEc3YwpFNFFCL25YazFJMzU5UldqY2g3M081dlBvaFZhdEFha0hlZU1LcXI4c255cXVXNnlXRi96aVlkbzlWMENjbldXCmpBV3ROdlNFNllzZVlYbDQ4VndKQWlPNGZSei96UGJmUDBURG1mVXcxZitrM25xenRaYVJxMFpuazdFSjNGMUwKMHlkbGcrS1dWdTBROEpiWmdwRks0UitsenNhQzFtV3UvMFZrVmZNV3Z5ZGYrRTBYZ1B1M0RZT1E5VEtBOUgwZApUbTNBK29UYzdxUTFqdUxEb3ZQajArd2pCcm9KUW9CbEpxeldla2E2T1U4Q0F3RUFBYU5XTUZRd0RnWURWUjBQCkFRSC9CQVFEQWdXZ01CTUdBMVVkSlFRTU1Bb0dDQ3NHQVFVRkJ3TUNNQXdHQTFVZEV3RUIvd1FDTUFBd0h3WUQKVlIwakJCZ3dGb0FVQlJRWUZDMk5HWUxwSVdsL3VmTld5dUpZckZZd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBQURUaEVxVFdTdzl3Z2ZseVk5RjVxQUZNUGF5UWpiY1V5Q0hzV2ZXYXBhdmVJY3E0WHFNNjF5VmpvY1owZ2VRCmJTanQ4S0M2MjQvK3FJWVVzYk0yZGdoYnlWenJjTWxkYnN1ZUxSOVFGdzVWUWNuOHFnTFZJSVUycndwSkI3cWYKVDEyQ2J5cUF1czB5WWdQT2ZyMGdSbVhicmtzVVJ3U1lSM00wZEFOK1A5NjluMWlWRjU1cVJmcXRZOTF3c1B1awpOQVk1aEtVR0daV25vVUR1cHA1UXlBeEU5Q3NROHQzUTA4aWJ2d1pwUWxQVCtDbzJ6V1lCU2x2RWhnbmt6RElYCmRNamR3TmpqRGxSeWhtUlIrbEdqbHNTZjZUZi9vM0h4U0R3MXB1TlkrZGFqbk13eFM0Zm1zUGV3anZhaWVtRzgKQVRjc0hKck55b2ExZERyVTRxait5TmM9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBbmVSU3hJMjE1Vks2Z3RmRERjSVU4WVNSekhrODZ3eTRZanhlbGlUb3QrQTdnQk9WCmlHclh4WXp5YUlZcWlpeDdNckRYMlRtK3p2MWFud0p5OFpzZjdReHZkV1Zmb09SWmV4bzVsT1cwYnR3VGhBSCsKZGVUVWpmbjFGYU55SHZjN204K2lGVnEwQnFRZDU0d3Fxdnl5ZktxNWJySllYL09KaDJqMVhRSnlkWmFNQmEwMgo5SVRwaXg1aGVYanhYQWtDSTdoOUhQL005dDgvUk1PWjlURFYvNlRlZXJPMWxwR3JSbWVUc1FuY1hVdlRKMldECjRwWlc3UkR3bHRtQ2tVcmhINlhPeG9MV1phNy9SV1JWOHhhL0oxLzRUUmVBKzdjTmc1RDFNb0QwZlIxT2JjRDYKaE56dXBEV080c09pOCtQVDdDTUd1Z2xDZ0dVbXJOWjZScm81VHdJREFRQUJBb0lCQUd0VFBIK201REhSbmo0NgpjN2Z5YVZJU2p4aXlnSm8xdDAvdlFVeEdJbnA2elhjdDJNTTEvUjJueFU4UGcvTVFjVjN2bjRsbEd6S1FQUDFCCktPamFUVVZRNHFLbUdlNi95YU5JSEVQK01EdjdGTGp5c2dscFZxSjdlZ0VQYlE5bmR2bGVsZ3AxOFZGaVZZR0QKWWEyQXY4TEdPZTNwQlBHVUZiUVp3RTlNem9qbWowd0l0U1FheEI5ZDBmUHplZUkwb3hUcDkrNGJneXhXMHhsWQo3OHQzK2ZkTXV5Q0M1OTB2T3Y0Vmo2S2wrSUNmckRmVit0SlpjaVIvSXdRYk9SclQ0Q0t0MVppUVA0eUNCMSt2CnlBZUVJMXBsSU5RMnZXYmxUb3BjcFowVzRPU1JrVXRVOHR2N3FiODhJOGltbHR1ZHViM0RuTzJ5WnFaYmZzNGoKVjAzd2RHRUNnWUVBeWNQOFdXUTNzazBmVTZLdE1IYjkvY0JsQXpwMHRjaHljK3BIZHBmV3ZtOXdSUjFlSDkxTwpzNEF5REhYSjdvMnV5TFpyTmhiTzVtOWRLVm9zT1BRcVpQaXhDam0vZzBRN2RFTFhYNjRVSnhxUVgzcFkrZ3ltCk9WeERPOXQzcjBQeU5jMTcvZTNLaHJTU0RuSG85cWpOUjdiL3MwM21ocFBUeVQ2aDljeVhtdjBDZ1lFQXlGVkcKZWp3T2phNlNucE1SMUIvcmVPdWJUY3ZucGt1NG9UM0dUdzgreklSSWNnY1QxMnNjNXJ2V3lvNjZMUHhkOWc0ZgptSG9oTXRwc0ZodWNDbTlzbVZwdk53Z1RIQ3B1RXFxRWRXbGZyQ3Z1aW9wNk03eU1pSk4xb09zY3JydjRWTmhwCmwydmpqTGlCb0Jhd0R4bHZHMDBWQTBpOWk3ZVlRUlF0aTFlNTFUc0NnWUJHWXgvUzA1cDJrbDhlWHo4S0RFajUKVURndEV5U0tFajZUWDZURW81M2YyNktRQ2ZtL0pnYUJxblJMVW9BNnY2UzlFcDUrUlNDeTFTRHIvekEwUWtIVAo3Y3BkWmQ0QTNqbmJpa0gyZUJWQnV3dW9zMWI5REpLa3FpSXViSmJwUnN2bHB5VGRaaXBrS2ZSV0k3a0E2OHlKCmV6YmpCNGNuWmNUWmpRY1ZaK1Z2eFFLQmdFMFBDRG9TaWVLVDZSQVlNRDV4UE1sWmozYWdYVzNKS0s3VkxVZlIKN0cwTTRUVURaZTF4NVQ4WHQrcFlkbUxCZkg4ZU5hY1lLMWI5VDZBOVpJdGJDdUgrT0ZOcHhyZ0oxaWRWOGZlYgozZEpEWDlGb3JOTGp6d2JsK2RRNU8rSTJxYkl4UUlTZlduc1JxY0xqbHp0bnBDWlRReWJ0UHdQVVRqdVNRR2FlCkN2eHJBb0dBRldKMTVOL3VhRDRuOGRaZW1pNExoNnhpeEV6OFBRVEhZNXd2SXljRm9rZUF3NWpPMVRyLzA5dUYKSGdINThPYk1YbEZ3VFJuWENsNHVhUXd0RkRHWm1WaW9nZVhKMzkvRFJ4NXlOcEhGdm1YVFJaUS9aSkx2RnpSNgoxK1ZTdTZvdHYxbkljZVlrK2hQMUswV1A4WlQ3MUUrNnRNaDNwa0Nyd3pvUVNuNWIzWDg9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==对应Subject: CN=system:kube-scheduler
角色和角色绑定
另外我们能够看下,针对于这些核心组件,所创建的角色和角色绑定;使用这些角色绑定,通过了鉴权检查。
system:kube-controller-manager的角色
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: "2022-09-26T09:31:13Z"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:kube-controller-manager
resourceVersion: "91"
uid: 150e5e79-8792-47cc-9822-acef4e8c4042
rules:
- apiGroups:
- ""
- events.k8s.io
resources:
- events
verbs:
- create
- patch
- update
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- apiGroups:
- coordination.k8s.io
resourceNames:
- kube-controller-manager
resources:
- leases
verbs:
- get
- update
- apiGroups:
- ""
resources:
- endpoints
verbs:
- create
- apiGroups:
- ""
resourceNames:
- kube-controller-manager
resources:
- endpoints
verbs:
- get
- update
- apiGroups:
- ""
resources:
- secrets
- serviceaccounts
verbs:
- create
- apiGroups:
- ""
resources:
- secrets
verbs:
- delete
- apiGroups:
- ""
resources:
- configmaps
- namespaces
- secrets
- serviceaccounts
verbs:
- get
- apiGroups:
- ""
resources:
- secrets
- serviceaccounts
verbs:
- update
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- '*'
resources:
- '*'
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts/token
verbs:
- createsystem:kube-controller-manager的角色绑定
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: "2022-09-26T09:31:13Z"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:kube-controller-manager
resourceVersion: "141"
uid: 7f80fca5-8a95-42fa-877a-1f51bbaaa70c
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:kube-controller-manager
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: system:kube-controller-managersystem:node的角色
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: "2022-09-26T09:31:13Z"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:node
resourceVersion: "85"
uid: 57f4e2d8-00cb-456c-93bb-e4c2d1f7d63f
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- localsubjectaccessreviews
- subjectaccessreviews
verbs:
- create
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- create
- get
- list
- watch
- apiGroups:
- ""
resources:
- nodes/status
verbs:
- patch
- update
- apiGroups:
- ""
resources:
- nodes
verbs:
- patch
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- update
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods
verbs:
- create
- delete
- apiGroups:
- ""
resources:
- pods/status
verbs:
- patch
- update
- apiGroups:
- ""
resources:
- pods/eviction
verbs:
- create
- apiGroups:
- ""
resources:
- configmaps
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- persistentvolumeclaims
- persistentvolumes
verbs:
- get
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
verbs:
- create
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- patch
- update
- apiGroups:
- storage.k8s.io
resources:
- volumeattachments
verbs:
- get
- apiGroups:
- ""
resources:
- serviceaccounts/token
verbs:
- create
- apiGroups:
- ""
resources:
- persistentvolumeclaims/status
verbs:
- get
- patch
- update
- apiGroups:
- storage.k8s.io
resources:
- csidrivers
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- csinodes
verbs:
- create
- delete
- get
- patch
- update
- apiGroups:
- node.k8s.io
resources:
- runtimeclasses
verbs:
- get
- list
- watchsystem:node的角色绑定
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: "2022-09-26T09:31:13Z"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:node
resourceVersion: "145"
uid: 177af254-b595-4394-8fe9-0bac03613f2c
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:nodesystem:kube-scheduler的角色
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: "2022-09-26T09:31:13Z"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:kube-scheduler
resourceVersion: "103"
uid: 863314fa-09a6-4674-99fc-d8bcfc1f8707
rules:
- apiGroups:
- ""
- events.k8s.io
resources:
- events
verbs:
- create
- patch
- update
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- apiGroups:
- coordination.k8s.io
resourceNames:
- kube-scheduler
resources:
- leases
verbs:
- get
- update
- apiGroups:
- ""
resources:
- endpoints
verbs:
- create
- apiGroups:
- ""
resourceNames:
- kube-scheduler
resources:
- endpoints
verbs:
- get
- update
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods
verbs:
- delete
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- pods/binding
verbs:
- create
- apiGroups:
- ""
resources:
- pods/status
verbs:
- patch
- update
- apiGroups:
- ""
resources:
- replicationcontrollers
- services
verbs:
- get
- list
- watch
- apiGroups:
- apps
- extensions
resources:
- replicasets
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- statefulsets
verbs:
- get
- list
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- persistentvolumeclaims
- persistentvolumes
verbs:
- get
- list
- watch
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- storage.k8s.io
resources:
- csinodes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- csidrivers
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- csistoragecapacities
verbs:
- get
- list
- watchsystem:kube-scheduler的角色
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: "2022-09-26T09:31:13Z"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:kube-scheduler
resourceVersion: "143"
uid: be8c68c7-9d40-4244-a513-50f5f7f66d1e
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:kube-scheduler
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: system:kube-scheduler那么在普通命名空间下serviceAccout,会是什么情况呢?
普通命名空间下serviceAccount权限
创建一个POD:
kubectl run nginx --image=nginx前面我们了解到,如果一个 Pod 没有声明 serviceAccountName,Kubernetes 会自动在它的 Namespace 下创建一个名叫 default 的默认 ServiceAccount,然后分配给这个 Pod,
查看该POD的YAML,发现确实如此,serviceAccountName填充为default
$ kubectl get pod/nginx -oyaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: "2022-11-15T04:01:58Z"
labels:
run: nginx
name: nginx
namespace: default
resourceVersion: "5892284"
uid: ab98dbe1-9ed7-4e46-aae8-ca02ec68204e
spec:
containers:
- image: nginx
imagePullPolicy: Always
name: nginx
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-l8prv
readOnly: true
dnsPolicy: ClusterFirst
enableServiceLinks: true
serviceAccount: default
serviceAccountName: default另外ServiceAccout,会被Projected到容器的/run/secrets/kubernetes.io/serviceaccount下
...
spec:
containers:
- image: nginx
imagePullPolicy: Always
name: nginx
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-xs8cp
readOnly: true
...
volumes:
- name: kube-api-access-xs8cp
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace到容器内部查看Secret信息:
root@nginx:/run/secrets/kubernetes.io/serviceaccount# ls -l
total 0
lrwxrwxrwx 1 root root 13 Nov 10 04:53 ca.crt -> ..data/ca.crt
lrwxrwxrwx 1 root root 16 Nov 10 04:53 namespace -> ..data/namespace
lrwxrwxrwx 1 root root 12 Nov 10 04:53 token -> ..data/token
root@nginx:/run/secrets/kubernetes.io/serviceaccount# ca.crt
eyJhbGciOiJSUzI1NiIsImtpZCI6ImlSbjhteGZ0MlRlUV9yUjlUbk1Na0VMZngxODhBTlg0MTZtT1lJWFhUREkifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNjk5NjY1MTY5LCJpYXQiOjE2NjgxMjkxNjksImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0IiwicG9kIjp7Im5hbWUiOiJuZ2lueCIsInVpZCI6ImU1YjkzODFjLWExY2EtNDYzMi1hYmIwLWFmYmM5Y2I1NmUwYiJ9LCJzZXJ2aWNlYWNjb3VudCI6eyJuYW1lIjoiZGVmYXVsdCIsInVpZCI6IjJmNTE2ODVjLTM0MjUtNDNjOS04OTFlLWJhYWRlNzg0MzFjMCJ9LCJ3YXJuYWZ0ZXIiOjE2NjgxMzI3NzZ9LCJuYmYiOjE2NjgxMjkxNjksInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.h7SNcZTAz9rn2jQah3A37HRwrp2aKDn4rdEttBPGQY_ZQW61dN09UluObH6p3SJxxabp5Diw1--VaeP5EEved3rLw6YwUQg3rxDnoA1Xuy5tfRPJXmMlW6_dxfSEEJ6tTMvx0UgLTOIyikYZ3gj6bdz6f7PJC-hfPTcnqPkkkQA7w1h0h1w6Aj5vgy3EUVGXEK8xQynZDNUS9J-TRIh_Lptepl5AzQeoRM8qgFT4U6MvM0Cl4gbPR7gXy1LkOomQJFsQWEBJ5yV3-e90tY5s4JZPYPkDS0YiEufcBg1rrsP42WYOLVMPKkhrStSMRygL4IpfIO0Diflb9_Zf3oP2Fwtoken
-----BEGIN CERTIFICATE-----
MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5p
a3ViZUNBMB4XDTIyMTEwNzEyMDQ1OFoXDTMyMTEwNTEyMDQ1OFowFTETMBEGA1UE
AxMKbWluaWt1YmVDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/s
NbBzIflL83iGloIh3MhfKW05H4HSh+bYFUho5Kc6emNcca14h/A+l8NZw2vjH1GV
uIQZ6vu29n7pCESB1rc01oHOBx4xfrOUsnD7CDT9fe5CUmx6MmYKfWoExWxn1Mpc
Wrxk3kPVikOoDoleGc3syEVJatbXte0db6lxMA2BpZqFrztypVRNaYx4P6guR0Kn
HhDv+JIfzkcOOGAsZlwwc9jdP+dQj3t+2SBjM84m07bVJIzdr7ChNlkP07VP1dAp
LBGZqvKuy0gtbsn2W+nfF/DXscG0ZSiF4Vp5p/QmbIlJ8Ks6KtGovj24BWkNJSOQ
Ix1VnCgKfwQsrnZiCqkCAwEAAaNhMF8wDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQW
MBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBSX+0UH4kjXeUl9X6xaXYmWRimADjANBgkqhkiG9w0BAQsFAAOCAQEAN2XYgE5C
2s84uix5Qe9NKC9t9SVcnlnf4ZS4EBARH567gYSfxdh1q9DiCJCnP4xtd0noKpPP
e+FeBxkDBrtfBbytIsC5Lq8n+97iwEvdonVXOMJUFZiUC8XtrCmD9f7xCU+iUEva
GmYXP6hygWive1hcMZqHTVzhdOPSTEuPOLAyGiNJVpPbEZqkjUU443VgWpL0CtR6
7BQeluxTSJq5qJCaCetq7gy4RRaphAcBPKeRIxT8sLOrBUzsiQ1tT1BHHBQ0Jfpt
Kb5sX5+rXbQyWPepRNhcSjuNqTx+MukkkIk1rr0PTDM0XtN2Z3iQAX1OhnPIwwRm
dge/2sobKt5XzQ==
-----END CERTIFICATE-----namespace
default可以看下这个被projected到容器内部的ServiceAccount,能访问api-server哪些资源
$ kubectl exec -it nginx -- sh
# Point to the internal API server hostname
APISERVER=https://kubernetes.default.svc
# Path to ServiceAccount token
SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
# Read this Pod's namespace
NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
# Read the ServiceAccount bearer token
TOKEN=$(cat ${SERVICEACCOUNT}/token)
# Reference the internal certificate authority (CA)
CACERT=${SERVICEACCOUNT}/ca.crt
# Explore the API with TOKEN
$ curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api
{
"kind": "APIVersions",
"versions": [
"v1"
],
"serverAddressByClientCIDRs": [
{
"clientCIDR": "0.0.0.0/0",
"serverAddress": "192.168.0.41:6443"
}
]
}
$ curl --cacert ${CACERT} \
--header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/versions
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "forbidden: User \"system:serviceaccount:default:default\" cannot get path \"/versions\"",
"reason": "Forbidden",
"details": {
},
"code": 403
}能够看到这里的默认账号的权限,基本上不能做任何事情。如果需要特定的权限,需要指定自己配置的serviceAccount。
文章参考:
(1)《深入剖析kubernetes 张磊》
(2)《kubernetes权威指南 第5版》
标签:serviceaccount,serviceAccount,system,verbs,io,apiGroups,命名,kube,resources From: https://www.cnblogs.com/cosmos-wong/p/16892038.html