[英]how can I create a service account for all namespaces in a kubernetes cluster?
So I have namespaces所以我有命名空间
ns1, ns2, ns3, and ns4. ns1、ns2、ns3 和 ns4。
I have a service account sa1 in ns1.我在 ns1 中有一个服务帐户 sa1。 I am deploying pods to ns2, ns4 that use sa1.
我正在将 pod 部署到使用 sa1 的 ns2、ns4。 when I look at the logs it tells me that the sa1 in ns2 can't be found.
当我查看日志时,它告诉我找不到 ns2 中的 sa1。
error:错误:
Error creating: pods "web-test-2-795f5fd489-" is forbidden: error looking up service account ns2/sa: serviceaccount "sa" not found创建错误:pods "web-test-2-795f5fd489-" is forbidden: error looking up service account ns2/sa: serviceaccount "sa" not found
Is there a way to make service accounts cluster wide?有没有办法使服务帐户集群范围内? Or, can I create multiple service accounts with the same secret?
或者,我可以使用相同的密钥创建多个服务帐户吗? in different namespaces?
在不同的命名空间?
No there is no way to create a cluster wide service account as service account is a namespace scoped resources.不,没有办法创建集群范围的服务帐户,因为服务帐户是命名空间范围的资源。 This follows the principle of least privilege.
这遵循最小特权原则。
You can create a service account with same name(for example default
) into all the necessary namespaces where you are deploying pod pretty easily by applying the service account yaml targeting those namespaces.您可以通过应用针对这些命名空间的服务帐户 yaml 来在部署 pod 的所有必要命名空间中创建一个具有相同名称(例如
default
)的服务帐户。
Then you can deploy the pod using yaml.然后,您可以使用 yaml 部署 pod。 This way you don't need to change anything in the pod because the service account name is same although it will have different secret and that should not matter as long as you have defined RBAC via role and rolebinding to all the service accounts across those namespaces.
这样,您不需要更改 pod 中的任何内容,因为服务帐户名称是相同的,尽管它具有不同的秘密,只要您通过角色和角色绑定定义了 RBAC 到这些命名空间中的所有服务帐户,这应该无关紧要.
While service accounts can not be cluster scoped you can have clusterrole and clusterrolebinding which are cluster scoped.虽然服务帐户不能在集群范围内,但您可以拥有集群范围内的 clusterrole 和 clusterrolebinding。
you can use that你可以用那个
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubernetes-enforce
rules:
- apiGroups: ["apps"]
resources: ["deployments","pods","daemonsets"]
verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["*"]
resources: ["namespaces"]
verbs: ["get", "list", "watch"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubernetes-enforce
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-enforce-logging
namespace: cattle-logging
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubernetes-enforce
subjects:
- kind: ServiceAccount
name: kubernetes-enforce
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-enforce-prome
namespace: cattle-prometheus
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubernetes-enforce
subjects:
- kind: ServiceAccount
name: kubernetes-enforce
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-enforce-system
namespace: cattle-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubernetes-enforce
subjects:
- kind: ServiceAccount
name: kubernetes-enforce
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-enforce-default
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubernetes-enforce
subjects:
- kind: ServiceAccount
name: kubernetes-enforce
namespace: kube-system
If your namespaces
for example are in values.yaml
(that is they are somehow dynamic), you could do:例如,如果您的
namespaces
位于values.yaml
中(也就是说它们是动态的),您可以这样做:
apiVersion: v1
kind: List
items:
{{- range $namespace := .Values.namespaces }}
- kind: ServiceAccount
apiVersion: v1
metadata:
name: <YourAccountName>
namespace: {{ $namespace }}
{{- end }}
where in values.yaml
you would have:在
values.yaml
中,您将拥有:
namespaces:
- namespace-a
- namespace-b
- default
# define a clusterrole.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: supercr
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
# define a serviceaccount
apiVersion: v1
kind: ServiceAccount
metadata:
name: supersa
namespace: namespace-1
---
# bind serviceaccount to clusterrole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: supercrb
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: supercr
subjects:
- kind: ServiceAccount
name: supersa
namespace: namespace-1
Please note serviceaccount is namespaced.请注意 serviceaccount 是命名空间的。 You can't create a cluster-wide serviceaccount.
您无法创建集群范围的服务帐户。 However you can bind a serviceaccount to a clusterrole with permissions to all api resources.
但是,您可以将 serviceaccount 绑定到具有所有 api 资源权限的 clusterrole。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.