stackoom
  简体   繁体   中英

why does a service account can create pods when it's not allowed in kubernetes?

 原文  2020-09-02 19:40:17       kubernetes

Question

I have the following deployment spec:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: sa-dep-non-root 
spec:
  selector:
    matchLabels:
      app: sa-dep-non-root # has to match .spec.template.metadata.labels
  #replicas: 3 # by default is 1
  template:
    metadata:
      labels:
        app: sa-dep-non-root # has to match .spec.selector.matchLabels
    spec:
      serviceAccountName: simon-sa
      securityContext:
        runAsUser: 1000
      tolerations:
      - key: "type"
        operator: "Equal"
        value: "ops"
        effect: "NoSchedule"
      containers:
      - name: sa-dep-non-root
        image: k8s.gcr.io/nginx-slim:0.8
        ports:
        - containerPort: 80
          name: sa-dep-non-root

The deployment and its corresponding pods gets created properly when running: kubectl apply -f simon-sa-deployment-non-root.yaml -n test-ns I was not expecting this to work, as I am setting the serviceAccountName to simon-sa which does not have permissions to create pods:

Simons-MBP:test simon$ kubectl  --as=system:serviceaccount:test-ns:simon-sa auth can-i create pods -n test-ns
no

My understanding is that when no serviceAccountName is specified, then it's the k8s controller manager (through some clusterrolebindings with the correct permissions like system:controller:replicaset-controller) the one that creates the pods, and it's not actually my own user in which I am authenticated the one that creates the pods for that deployment.

My other understanding is that this behavior can be overriden when specifying serviceAccountName in the pod definition. In this case, the pods are not created by the controller manager, but instead for the specified serviceAccountName. Since the serviceAccountName that I specified does not have permissions to create pods, this should have failed. Do I have the concepts mixed here?

1 answers

solution1
 2 ACCPTED  2020-09-02 20:08:00

ServiceAccounts are permissions for the pod, what you are doing is assigning this permission to the pod you are instantiating in the deployment, so kubectl apply -f simon-sa-deployment-non-root.yaml -n test-ns will use the permissions that your user is logged in with kubectl api server, so if you do a kubectl auth can-i create deployments --namespace test-ns it will return Yes.

So maybe what you are trying to do is create an user that will have read only access to the cluster which is done with cluster roles and not service account which are scoped to pods.

Or let me know what is you are trying to do and i can explain

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Why does Kubernetes create 1000's of pods when replicas are only set for 2 Why does Istio require Pods belong to at least one Service in Kubernetes? Can't create pods in kubernetes why i can't create pods a a user with enough permissions in kubernetes Why can't other pods connect to Cloud SQL through Kubernetes proxy and service when portforwarding to the proxy and the service works? How to create a service account to get a list of pods from inside a Kubernetes cluster? Kubernetes service does not distribute requests between pods Why the pods running with a service account with needed permissions cannot list pods? Grant Kubernetes service account privileges to get pods from all namespaces how can I create a service account for all namespaces in a kubernetes cluster?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM