创建SA
apiVersion: v1
kind: ServiceAccount
metadata:
name: sa-test
创建Role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: sa-test
rules:
- apiGroups: [""]
resources: ["pods","pods/log"]
verbs: ["get","watch","list"]
创建RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: sa-test-rolebinding
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: sa-test
subjects:
- namespace: default
kind: ServiceAccount
name: sa-test
创建Pod
apiVersion: v1
kind: Pod
metadata:
name: sa-test
labels:
app: sa
spec:
serviceAccountName: sa-test
containers:
- name: sa-nginx
image: nginx
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
Pod内执行
root@sa-test:/run/secrets/kubernetes.io/serviceaccount# curl --cacert ./ca.crt -H "Authorization: Bearer $(cat ./token)" https://kubernetes/api/v1/namespaces/default/pods/sa-test/log
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-local-resolvers.envsh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2023/09/07 08:27:14 [notice] 1#1: using the "epoll" event method
2023/09/07 08:27:14 [notice] 1#1: nginx/1.25.2
2023/09/07 08:27:14 [notice] 1#1: built by gcc 12.2.0 (Debian 12.2.0-14)
2023/09/07 08:27:14 [notice] 1#1: OS: Linux 6.2.0-32-generic
2023/09/07 08:27:14 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2023/09/07 08:27:14 [notice] 1#1: start worker processes
2023/09/07 08:27:14 [notice] 1#1: start worker process 30
2023/09/07 08:27:14 [notice] 1#1: start worker process 31
2023/09/07 08:27:14 [notice] 1#1: start worker process 32
2023/09/07 08:27:14 [notice] 1#1: start worker process 33
