只为Kubernetes中的某些Pod启用ServiceAccounts
[英]Only enable ServiceAccounts for some pods in Kubernetes
问题描述
I use the Kubernetes ServiceAccount plugin to automatically inject a ca.crt and token in to my pods. 
我使用Kubernetes ServiceAccount插件自动将ca.crt和令牌注入到我的Pod中。 This is useful for applications such as kube2sky which need to access the API Server. 这对于需要访问API服务器的应用程序(例如kube2sky)很有用。
However, I run many hundreds of other pods that don't need this token. 但是,我运行了数百个不需要此令牌的其他Pod。 Is there a way to stop the ServiceAccount plugin from injecting the default-token in to these pods (or, even better, have it off by default and turn it on explicitly for a pod)? 有没有一种方法可以阻止ServiceAccount插件将默认令牌注入到这些Pod中(或者更好的是,默认情况下将其关闭并为Pod显式打开它)?
2 个解决方案
解决方案1
2 已采纳 2017-08-29 19:43:14
As of Kubernetes 1.6+ you can now disable automounting API credentials for a particular pod as stated in the Kubernetes Service Accounts documentation 从Kubernetes 1.6+开始,您现在可以按照Kubernetes服务帐户文档中所述为特定的pod禁用自动挂载API凭据
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
serviceAccountName: build-robot
automountServiceAccountToken: false
...
解决方案2
1 2016-05-17 14:53:53
Right now there isn't a way to enable a service account for some pods but not others, although you can use ABAC to for some service accounts to restrict access to the apiserver. 尽管您可以对某些服务帐户使用ABAC来限制对apiserver的访问,但是目前没有一种方法可以为某些容器启用服务帐户,但不能为其他容器启用服务帐户。
This issue is being discussed in https://github.com/kubernetes/kubernetes/issues/16779 and I'd encourage you to add your use can to that issue and see when it will be implemented. 这个问题将在https://github.com/kubernetes/kubernetes/issues/16779中进行讨论,我鼓励您向该问题中添加您的使用罐,并查看何时实施。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.