概念
SA账号是Pod内的进程使用的关联服务账号的身份,向集群的 API 服务器进行身份认证。
SA(服务账号)是针对运行在 Pod 中的应用进程而言的, 在 Kubernetes中这些进程运行在容器中,而容器是 Pod 的一部分
配置SA
apiVersion: v1
kind: ServiceAccount
metadata:
name: sa-test
namespace: rbac
resourceVersion: "2023061602"
配置Role,授予操作权限
[root@k8smaster4 sa]# cat rbac-demo01.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: role-demo
namespace: rbac
labels:
environment: test
app: nginx-demo
rules:
- apiGroups: [""]
resources: ["pods","pods/log"]
verbs: ["get","watch","list"]
关联SA和Role,配置Rolebinding
[root@k8smaster4 sa]# cat role-sa.yml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: sa-test-1
namespace: rbac
subjects:
- name: sa-test
kind: ServiceAccount
roleRef:
name: role-demo
kind: Role
关联SA和Pod,授权访问Pod资源
apiVersion: v1
kind: Pod
metadata:
name: sa-test-demo
namespace: rbac
labels:
environment: test
app: mynginx
spec:
serviceAccountName: sa-test
containers:
- name: my-nginx
image: nginx
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
name: my-nginx
进入Pod容器,测试访问权限
非授权操作范围,提示 forbidden 及 403
授权范围,返回查询结果
