k8s rbac手動創建sa並在pod使用

阿新 • • 發佈：2018-09-19

nts clusterip odi points latest exe created tor set

手動生成sa指定pod使用這個sa操作記錄

創建新的namespace和sa

[root@k8s-master2 ~]# kubectl create namespace test
namespace "test" created
[root@k8s-master2 ~]# kubectl create sa test -n test
serviceaccount "test" created
[root@k8s-master2 ~]# kubectl get namespace
NAME? ? ? ? ? STATUS? ? AGE
default? ? ?? Active? ? 21d
kube-public?? Active? ? 21d
kube-system?? Active? ? 21d
monitoring? ? Active? ? 7d
test? ? ? ? ? Active? ? 20s
[root@k8s-master2 ~]# kubectl get sa
NAME? ? ? SECRETS?? AGE
default?? 1? ? ? ?? 21d
[root@k8s-master2 ~]# kubectl get sa -n test
NAME? ? ? SECRETS?? AGE
default?? 1? ? ? ?? 30s
test? ? ? 1? ? ? ?? 15s
[root@k8s-master2 ~]#

檢查sa的信息

[root@k8s-master2 ~]# kubectl get sa test -n test -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
? creationTimestamp: 2018-09-19T07:01:03Z
? name: test
? namespace: test
? resourceVersion: "439278"
? selfLink: /api/v1/namespaces/test/serviceaccounts/test
? uid: c5aab127-bbd9-11e8-a6ee-000c29bd652e
secrets:
- name: test-token-2drbf
[root@k8s-master2 ~]#

見下，ca和token在創建sa時，默認就已經定義

[root@k8s-master2 ~]# kubectl get secret test-token-2drbf -n test
NAME? ? ? ? ? ? ?? TYPE? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? DATA? ? ? AGE
test-token-2drbf?? kubernetes.io/service-account-token?? 3? ? ? ?? 1m
[root@k8s-master2 ~]# kubectl get secret test-token-2drbf -n test -o yaml
apiVersion: v1
data:
? ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURzRENDQXBpZ0F3SUJBZ0lVTWRteDZ0WktZbmh6d1NweVJsa3d1bUlyMys0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1hqRUxNQWtHQTFVRUJoTUNRMDR4Q3pBSkJnTlZCQWdUQWxOYU1Rc3dDUVlEVlFRSEV3SlRXakVNTUFvRwpBMVVFQ2hNRGF6aHpNUkl3RUFZRFZRUUxFd2swVUdGeVlXUnBaMjB4RXpBUkJnTlZCQU1UQ210MVltVnlibVYwClpYTXdIaGNOTVRnd09ESTRNRFl6TXpBd1doY05Nak13T0RJM01EWXpNekF3V2pCZU1Rc3dDUVlEVlFRR0V3SkQKVGpFTE1Ba0dBMVVFQ0JNQ1Uxb3hDekFKQmdOVkJBY1RBbE5hTVF3d0NnWURWUVFLRXdOck9ITXhFakFRQmdOVgpCQXNUQ1RSUVlYSmhaR2xuYlRFVE1CRUdBMVVFQXhNS2EzVmlaWEp1WlhSbGN6Q0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKa2UxV05VSCthUUJvV1NLWXVmSmNHWnExWDNwWXZHaytJazBLS08Kb3FZK1BJRFRvdWxTU215RkViOXJRS0prZ2lWeDBzbEZUT3R6ZGswZm03RVVzQU84aE9uQzdyNmwrYWtBOVZmaQpNK0EveXY0SVpRb1BuVHViaWVFRDZZaVhjc0NUSGFNVWtxektkUCtzbGxoQ3EwNVFNYnl1MmJDSGI5MjRrMXZVCjhTMWFvMlFJdUVpSWlSK2U1ejNrRFBGeXBuSm52bnR6UWNWVmd2MkxHYVFpd1BKak4veW8rUHJTNmN2aVEzMmIKUFJsVDc3b2RUZmpETTRsRjltTGlZQ3Z6em1pczhBUFJXSm1rNXJLbjl1NUEwQ2pUUy9yc0Y0dXFwaUIvcDNFaQpuRm5tcjhuQW1OZVFyYmdDMWhqTGdPR0tnWUs3QzhMZExmUHFDN2tLSkx5L3VjRUNBd0VBQWFObU1HUXdEZ1lEClZSMFBBUUgvQkFRREFnRUdNQklHQTFVZEV3RUIvd1FJTUFZQkFmOENBUUl3SFFZRFZSME9CQllFRkl4SGVqWFoKMGtkbDR1UDJETmhlQ2YrZEFtUjlNQjhHQTFVZEl3UVlNQmFBRkl4SGVqWFowa2RsNHVQMkROaGVDZitkQW1SOQpNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFpU3lNUEx3TUJFYXFqOXRzZUlMZU9Zczh4UGZOSHBRREdjOEZLCmc1eTJPaUlXUlV4SXZVRVFhbEMzR1BLc1JBdWM5YlhPdG9KWXZqVEtjYzloQU1sQTdzNU9LZEVvNFR4emREVkcKYmdlTFhyaHJmbzZXZ3ZWL1Nab1pOejJwRUE5OFRhWlNiVjB4MVFIZmUzMEJjdXdKSWJNVW4vd0NEZE9QeVJQMApDN2kzMW9VQTA5Z2tKZ2lSTEthK1h5RU5BUXI1QXp4ZlhvVDZ0UllreFdLKzhUOWJZOEcxMGswbU5MQktIbmp3ClZaZzZzSmo3bHU3eTR4SDdOdTUycTdsSlV2STdtcjFEUFU5T2hzL2tJRTNYWlNJaDJmRU03eUNkVVhsMlVBMkIKWnc2Uit0dy9wL1FZZTM5VTVhSENZV1NnTWpjTHBHTXkrb1I0M3VRV0kxS2YyVGVUCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
? namespace: dGVzdA==
? token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1Z6TDNObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSjBaWE4wSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXpaV055WlhRdWJtRnRaU0k2SW5SbGMzUXRkRzlyWlc0dE1tUnlZbVlpTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxjblpwWTJVdFlXTmpiM1Z1ZEM1dVlXMWxJam9pZEdWemRDSXNJbXQxWW1WeWJtVjBaWE11YVc4dmMyVnlkbWxqWldGalkyOTFiblF2YzJWeWRtbGpaUzFoWTJOdmRXNTBMblZwWkNJNkltTTFZV0ZpTVRJM0xXSmlaRGt0TVRGbE9DMWhObVZsTFRBd01HTXlPV0prTmpVeVpTSXNJbk4xWWlJNkluTjVjM1JsYlRwelpYSjJhV05sWVdOamIzVnVkRHAwWlhOME9uUmxjM1FpZlEuZE1yN1FmYUZVZ2RpenIyYktabG9RZTBYRlI2SkJNcGt0VU1mYzZ4T0QzS0JkU3I1R0lOem1OYWNfZzVXa3pReHM5c3l2UHlYSUxaNUl6TlprSlNjdFUtc3pwemplR1FRS2RrLWxRYnpGU0pmY0hWM0NBNURERVFUSzY2QWI4WVVkdXZyZWM5R2lyX29qWVUta0xoNU1MRlhDVjFCcmFuOGIyV0VuOHpuMHBwTUNHWmhrTG81SUhfNlUtajVLTW9TWUNRTGxkbW0wV3hqRFpsVVY0N2p6TGdoQUotSncxaGRWYzdpb2o1cWRMNzhsdEJVb3R1TVU1bkQweF9paDhQVzRsWWxHUlNxQWRmc2QzcVNQMktUTTFFaGg5NkFRa3NQdzdrMVB0aGFYeUFlT1NaSEdJdG45T2lLeF8zSDJLY19wT1dmTi1EMVdOOGJPdnFRUW10NnZB
kind: Secret
metadata:
? annotations:
? ? kubernetes.io/service-account.name: test
? ? kubernetes.io/service-account.uid: c5aab127-bbd9-11e8-a6ee-000c29bd652e
? creationTimestamp: 2018-09-19T07:01:03Z
? name: test-token-2drbf
? namespace: test
? resourceVersion: "439277"
? selfLink: /api/v1/namespaces/test/secrets/test-token-2drbf
? uid: c5c45a22-bbd9-11e8-bc4d-000c29424904
type: kubernetes.io/service-account-token
[root@k8s-master2 ~]#

配置新建sa的clusterrole和clusterbinding

[root@k8s-master2 ~]# cat test1clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
? labels:
? ? kubernetes.io/bootstrapping: rbac-defaults
? ? addonmanager.kubernetes.io/mode: Reconcile
? name: test:test
rules:
- apiGroups:
? - ""
? resources:
? - endpoints
? - services
? - pods
? - namespaces
? verbs:
? - list
? - watch

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
? annotations:
? ? rbac.authorization.kubernetes.io/autoupdate: "true"
? labels:
? ? kubernetes.io/bootstrapping: rbac-defaults
? ? addonmanager.kubernetes.io/mode: EnsureExists
? name: test:test
roleRef:
? apiGroup: rbac.authorization.k8s.io
? kind: ClusterRole
? name: test:test
subjects:
- kind: ServiceAccount
? name: test
? namespace: test

用新建sa跑pod

[root@k8s-master2 ~]# cat test1.yaml
kind: Service
apiVersion: v1
metadata:
? name: t1
? namespace: test
spec:
? selector:
? ? app: t1
? ports:
? - protocol: TCP
? ? port: 80
? type: ClusterIP

---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
? name: t1
? namespace: test
spec:
? replicas: 3
? selector:
? ? matchLabels:
? ? ? app: t1
? template:
? ? metadata:
? ? ? labels:
? ? ? ? app: t1
? ? ? ? name: t1
? ? spec:
? ? ? serviceAccountName: test
? ? ? containers:
? ? ? - image: httpd
? ? ? ? name: t1
[root@k8s-master2 ~]#

[root@k8s-master2 ~]# kubectl apply -f test1.yaml
service "t1" created
deployment.apps "t1" created

起來了

[root@k8s-master2 ~]# kubectl get pod,svc -n test
NAME? ? ? ? ? ? ? ? ? ? ? READY? ? STATUS? ? RESTARTS? AGE
pod/t1-6b8bc99585-bcc76? 1/1? ? ? Running? 0? ? ? ? ? 1m
pod/t1-6b8bc99585-nvvbc? 1/1? ? ? Running? 0? ? ? ? ? 1m
pod/t1-6b8bc99585-z2ft9? 1/1? ? ? Running? 0? ? ? ? ? 1m

NAME? ? ? ? TYPE? ? ? ? CLUSTER-IP? ? ? EXTERNAL-IP? PORT(S)? AGE
service/t1? ClusterIP? 10.254.156.160? <none>? ? ? ? 80/TCP? ? 1m
[root@k8s-master2 ~]#

檢查下pod裏用的sa
見下，可以看到使用了我們新建的sa test。

[root@k8s-master2 ~]# kubectl get pod t1-6b8bc99585-z2ft9 -o yaml -n test
apiVersion: v1
kind: Pod
metadata:
? creationTimestamp: 2018-09-19T08:12:24Z
? generateName: t1-6b8bc99585-
? labels:
? ? app: t1
? ? name: t1
? ? pod-template-hash: "2646755141"
? name: t1-6b8bc99585-z2ft9
? namespace: test
? ownerReferences:
? - apiVersion: extensions/v1beta1
? ? blockOwnerDeletion: true
? ? controller: true
? ? kind: ReplicaSet
? ? name: t1-6b8bc99585
? ? uid: bd100daa-bbe3-11e8-a6ee-000c29bd652e
? resourceVersion: "446151"
? selfLink: /api/v1/namespaces/test/pods/t1-6b8bc99585-z2ft9
? uid: bd44312f-bbe3-11e8-a6ee-000c29bd652e
spec:
? containers:
? - image: httpd
? ? imagePullPolicy: Always
? ? name: t1
? ? resources: {}
? ? terminationMessagePath: /dev/termination-log
? ? terminationMessagePolicy: File
? ? volumeMounts:
? ? - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
? ? ? name: test-token-sqscc
? ? ? readOnly: true
? dnsPolicy: ClusterFirst
? nodeName: k8s-master1
? restartPolicy: Always
? schedulerName: default-scheduler
? securityContext: {}
? serviceAccount: test
? serviceAccountName: test
? terminationGracePeriodSeconds: 30
? tolerations:
? - effect: NoExecute
? ? key: node.kubernetes.io/not-ready
? ? operator: Exists
? ? tolerationSeconds: 300
? - effect: NoExecute
? ? key: node.kubernetes.io/unreachable
? ? operator: Exists
? ? tolerationSeconds: 300
? volumes:
? - name: test-token-sqscc
? ? secret:
? ? ? defaultMode: 420
? ? ? secretName: test-token-sqscc
status:
? conditions:
? - lastProbeTime: null
? ? lastTransitionTime: 2018-09-19T08:12:24Z
? ? status: "True"
? ? type: Initialized
? - lastProbeTime: null
? ? lastTransitionTime: 2018-09-19T08:12:32Z
? ? status: "True"
? ? type: Ready
? - lastProbeTime: null
? ? lastTransitionTime: 2018-09-19T08:12:24Z
? ? status: "True"
? ? type: PodScheduled
? containerStatuses:
? - containerID: docker://8725d70ccaf3374f54186d122e7ef479cada1f3aca5b416648e7f7d6a3067912
? ? image: httpd:latest
? ? imageID: docker-pullable://httpd@sha256:1ff11a7a625361f809065e5a421b69ce74e930a34f588320b957ca12a439e1c1
? ? lastState: {}
? ? name: t1
? ? ready: true
? ? restartCount: 0
? ? state:
? ? ? running:
? ? ? ? startedAt: 2018-09-19T08:12:31Z
? hostIP: 192.168.211.128
? phase: Running
? podIP: 172.30.2.5
? qosClass: BestEffort
? startTime: 2018-09-19T08:12:24Z
[root@k8s-master2 ~]#

k8s rbac手動創建sa並在pod使用

nts clusterip odi points latest exe created tor set 手動生成sa指定pod使用這個sa操作記錄創建新的namespace和sa [root@k8s-master2 ~]# kubectl create namespace

delphi手動創建dataset並插入值

temp asi nap dial send sda eof EDA tin unit Unit1; interface uses Winapi.Windows, Winapi.Messages, System.SysUtils, System.Variants, S

使用jquery 動態創建form 並提交

get size event end fun () form nbsp delet $(document).ready(function(){ $("a.delete").click(function(event){ action = this.getA

怎樣手動創建oracle數據庫

from pro bsp 1.0 fixed root there cte process 以下的實驗室是怎樣不要通過DBCA創建ORACLE 數據庫，而是通過ORACLE ONLINE HELP DOCUMENT進行手動的創建數據庫的具體步驟： 1,編輯Oracle

java創建郵件並發送

表示制作 .proto 收件箱發送郵件所有 filename res span 創建郵件涉及到的類：MimeMessage、MimeBodyPart、MimeMultipart 發送郵件涉及到的類：Transport 相關類：Session、Properties 實例

DE標識DellUtility磁盤手動創建

dell dellutility分區領導給了兩臺"DELL inspiron 15 "型號的筆記本說要重做系統，本來是很簡單的，直接用DELL自帶的“DELL Backup and Recovery”恢復即可，但是有一臺電腦被完全格盤，原廠系統都沒有了，只能從另外一臺電腦拷貝，如果有外置USB設備，

Android第一行代碼學習筆記---手動創建活動

重寫用戶 protected 其他 bsp 1.2 指定 ear category 1.1 手動創建活動活動是什麽：活動（Activity）是最容易吸引用戶的地方，它是一種可以包含用戶界面的組件，主要用於和用戶進行交互。一個應用程序中可以包含零個或多個活動。 @1.新建

Java對象與JSON互相轉換jsonlib以及手動創建JSON對象與數組——(二)

ring lnl tft sem mkf ted family sae key 　　　　首先聲明一下，jsonlib轉換與GSON相比太差勁了，操作不是一般的繁瑣。GSON可以直接轉換成各種集合與對象類型。強烈推薦使用GSON。而且GSON一個方法就可以解決，

nodejs入門篇---創建project並具體解釋

研究 read reat listener bug 端口號 jade art ima 想了非常久。總想寫點對大家有優點的，今天解說生成項目。如今市面上一般須要人全棧-----mean（mongo，express。angular，nodejs），這樣能夠從前端開發

創建索引並進行查詢

roc put color rop nbsp first span ppi fulltext curl -XPUT http://localhost:9200/suoyin1 curl -XPOST http://localhost:9200/suoyin

AR Drone系列之：使用ROS catkin創建package並使用cv_bridge實現對ar drone攝像頭數據的處理

ray 進行 mage exec source stp roc waitkey 效果 1 開發環境 Ubuntu 12.04 ROS Hydro 2 前提可參考這篇blog：http://blog.csdn.net/yake827/arti

fabric 自動創建倉庫並下載或更新代碼

更新 import flag 自動 ini remote 創建一次 cnblogs #!/usr/bin/python # -*- coding: utf-8 -* from fabric.api import * from fabric.contrib.fil

使用Navicat定時備份mysql數據庫和創建報表並郵件自動發送

選擇發展定時 nbsp 選中創建 sar png 選項數據庫備份在現代計算機高速發展的今日變得日益重要，程序員往往因為不重視而忽略備份數據，導致數據丟失，造成非常嚴重的後果。定時備份無疑是解決備份的最好的途徑，本文主要使用Navicat來自動備份數據庫和創建相關的計

Git 創建分支並合並主分支

pan images mas code es2017 創建分支 ranch isp spl 首先，我們創建dev分支，然後切換到dev分支： $ git checkout -b dev（等價於 $ git branch dev $ git checkout dev ）

kubernetes創建yaml，pod服務一直處於 ContainerCreating狀態的原因查找與解決

because str first 拉取 name 麻煩 ole details efault 最近剛剛入手研究kubernetes，運行容器的時候，發現一直處於ContainerCreating狀態，悲了個催，剛入手就遇到了點麻煩，下面來講講如何查

Linux下手動創建用戶賬號

linux基礎需求在linux系統中添加用戶，用戶名：hrman UID: 3000、基本組hrman GID: 3000、附加組 hadoop GID:3800；group和anther沒有任何權限。用戶可以正常登錄系統並創建文件。配置思路 1、創建基本組hrman GID

手動創建binary log files和手動編輯binary log index file會有什麽影響

href 生成 view 我們 htm 不知道 ica 字節 oss 一、了解Binary Log結構 1.1、High-Level Binary Log Structure and Contents • Binlog包括binary log files和in

60.大數據創建索引,並實現大文件的二分查找,遷移實現分層

sizeof post alloc can sys 數據 define sprint != index.h 1 #define _CRT_SECURE_NO_WARNINGS 2 #include<stdio.h> 3 #include<std

62.修改分詞器及手動創建分詞器

round 單詞自己 words 停用默認 htm ext yellow 主要知識點修改分詞器手動創建分詞器一、修改分詞器 1、默認的分詞器standard，主要有以下四個功能 standard tokenizer：以單詞邊界進行切

idea創建.gitignore並從遠程git中刪除要忽略的目錄（如.idea）

git1、將.idea目錄加入ignore清單.gitignore內容： /.idea//part00-common/target//part01-lambda/target/ 2、從git中刪除idea git rm --cached -r .idea 3、將.gitignore文件加入git g

k8s rbac手動創建sa並在pod使用

相關推薦