I have the following deployment spec:
apiVersion: apps/v1
kind: Deployment
metadata:
name: sa-dep-non-root
spec:
selector:
matchLabels:
app: sa-dep-non-root # has to match .spec.template.metadata.labels
#replicas: 3 # by default is 1
template:
metadata:
labels:
app: sa-dep-non-root # has to match .spec.selector.matchLabels
spec:
serviceAccountName: simon-sa
securityContext:
runAsUser: 1000
tolerations:
- key: "type"
operator: "Equal"
value: "ops"
effect: "NoSchedule"
containers:
- name: sa-dep-non-root
image: k8s.gcr.io/nginx-slim:0.8
ports:
- containerPort: 80
name: sa-dep-non-root
The deployment and its corresponding pods gets created properly when running: kubectl apply -f simon-sa-deployment-non-root.yaml -n test-ns
I was not expecting this to work, as I am setting the serviceAccountName to simon-sa
which does not have permissions to create pods:
Simons-MBP:test simon$ kubectl --as=system:serviceaccount:test-ns:simon-sa auth can-i create pods -n test-ns
no
My understanding is that when no serviceAccountName
is specified, then it's the k8s controller manager (through some clusterrolebindings with the correct permissions like system:controller:replicaset-controller) the one that creates the pods, and it's not actually my own user in which I am authenticated the one that creates the pods for that deployment.
My other understanding is that this behavior can be overriden when specifying serviceAccountName
in the pod definition. In this case, the pods are not created by the controller manager, but instead for the specified serviceAccountName. Since the serviceAccountName that I specified does not have permissions to create pods, this should have failed. Do I have the concepts mixed here?
ServiceAccounts
are permissions for the pod, what you are doing is assigning this permission to the pod you are instantiating in the deployment, so kubectl apply -f simon-sa-deployment-non-root.yaml -n test-ns
will use the permissions that your user is logged in with kubectl
api server, so if you do a kubectl auth can-i create deployments --namespace test-ns
it will return Yes.
So maybe what you are trying to do is create an user that will have read only access to the cluster which is done with cluster roles and not service account which are scoped to pods.
Or let me know what is you are trying to do and i can explain
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.