stackoom
  简体   繁体   中英

Can a pod with default ServiceAccount deploy pods in another cluster?

 原文  2020-06-11 19:06:35       kubernetes

Question

I have a Kube.netes question.

We have a master pod that can deploy other pods depending on the REST endpoint called. For example, if someone calls "/start_work" endpoint, it can deploy a worker pod to do the work related with this request.

This master pod is deployed with default ServiceAccount, and to allow it to deploy other pods, we had to give it cluster-admin access. We used ClusterRoleBinding to tie the default ServiceAccount to a cluster-admin role.

However, we have a more challenging problem now where our master pod is running in one cluster, but the worker pod needs to be deployed in another cluster. Does this sound achievable? Giving the default ServiceAccount cluster-admin access can't help us if we're talking about another cluster, right?

Has anyone done this before? How did you achieve this?

Thanks a ton.

1 answers

solution1
 1  2020-06-12 03:33:04

However, we have a more challenging problem now where our master pod is running in one cluster, but the worker pod needs to be deployed in another cluster. Does this sound achievable?

Certainly, yes; you are free to provide credentials via any number of supported mechanisms that would give the Pod a well-formed KUBECONFIG that can talk to the remote cluster at whatever access level of your comfort. By default the injected ServiceAccount is trusted by only its own cluster, but there are seemingly infinite ways of providing the component parts or a fully formed KUBECONFIG into a Pod's filesystem, and then you're off to the races

Giving the default ServiceAccount cluster-admin access can't help us if we're talking about another cluster, right?

That depends (is always the answer!) on whether the two clusters share a common CA root; if the answer is yes, then yes, cluster-admin on one will become cluster-admin on both. The Subject is determined by the CN= (and sometimes OU= / O= ) of the presented x509 certificate, and its validity is determined by the chain-of-trust between the presented certificate and the api-server of the cluster

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:monitoring" cannot list resource "pods" in API group "" at the cluster scope Kubernetes "pods.metrics.k8s.io "my-pod-name" is forbidden: User "system:serviceaccount:default:default" cannot get resource "pods" I am trying to deploy a pod in eks cluster but it is showing too many pods, but i have only one pod in that Can a pod within my cluster get a list of pods in a service? New serviceaccount created for kubernetes cluster cannot exec into pods In Kubernetes cluster, is kubelet just another pod like kube-proxy, core-dns? I can not find kubelet pods in kube-system namespace? How to provide access to a pod so that it can list and get other pods and other resource in the namespaces/cluster ECONNREFUSED: Can't connect to RabbitMQ pod on default port within the cluster k8s gce1.8.7 - pods is forbidden - Unknown user system:serviceaccount:default:default setting up build pod: Timed out while waiting for ServiceAccount/<service_account_name> to be present in the cluster
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM