手工为SA创建额外secret，并挂载到pod

默认情况下，系统会为每个servcieaccount（sa）创建一个对应的secret，这个secret里包含一个token，一般默认是ca证书。

https://v1-10.docs.kubernetes.io/docs/concepts/configuration/secret/ 文章说可以通过将sa挂载到pod上实现secret的自动挂载，这个地方其实有些问题，缺省自动产生的secret是可以自动被挂载到pod的。但是如果额外为这个sa创建的secret是不能自动挂载到pod上的（因为系统都不知道你要挂到哪里去），默认情况下pod只自动挂载sa中的第一个mountable的secret-一般也就是系统自动产生的那个secret。

测试步骤：

1. 创建一个sa
   kubectl create sa ljtest
   
   [root@k8s-master cka]# kubectl describe sa ljtest Name: ljtest Namespace: default Labels: <none> Annotations: <none> Image pull secrets: <none> Mountable secrets: ljtest-token-s7x8k Tokens: ljtest-token-s7x8k Events: <none>

   1 2 3 4 5 6 7 8 9 10

   [root@k8s-master cka]# kubectl describe sa ljtest Name:                ljtest Namespace:           default Labels:              <none> Annotations:         <none> Image pull secrets:  <none> Mountable secrets:   ljtest-token-s7x8k Tokens:              ljtest-token-s7x8k   Events:              <none>

2. 为该sa额外创建一个secret
   
   [root@k8s-master cka]# cat sa-ljtest-secert.yaml apiVersion: v1 kind: Secret metadata: name: ljtestsecrt annotations: kubernetes.io/service-account.name: ljtest type: kubernetes.io/service-account-token data: username: YWRtaW4= password: MWYyZDFlMmU2N2Rm

   1 2 3 4 5 6 7 8 9 10 11

   [root@k8s-master cka]# cat sa-ljtest-secert.yaml apiVersion: v1 kind: Secret metadata:   name: ljtestsecrt   annotations:     kubernetes.io/service-account.name: ljtest type: kubernetes.io/service-account-token data:   username: YWRtaW4=   password: MWYyZDFlMmU2N2Rm

3. 创建完毕，这个secret不会自动关联到sa上，需要手工编辑sa kubectl edit sa ljtest
   
   # Please edit the object below. Lines beginning with a '#' will be ignored, # and an empty file will abort the edit. If an error occurs while saving this file will be # reopened with the relevant failures. # apiVersion: v1 kind: ServiceAccount metadata: creationTimestamp: 2018-08-11T08:44:31Z name: ljtest namespace: default resourceVersion: "446346" selfLink: /api/v1/namespaces/default/serviceaccounts/ljtest uid: c42e7e67-9d42-11e8-86b0-000c29850765 secrets: - name: ljtest-token-s7x8k - name: ljtestsecrt <<<<<<<<增加这个

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

   # Please edit the object below. Lines beginning with a '#' will be ignored, # and an empty file will abort the edit. If an error occurs while saving this file will be # reopened with the relevant failures. # apiVersion: v1 kind: ServiceAccount metadata:   creationTimestamp: 2018-08-11T08:44:31Z   name: ljtest   namespace: default   resourceVersion: "446346"   selfLink: /api/v1/namespaces/default/serviceaccounts/ljtest   uid: c42e7e67-9d42-11e8-86b0-000c29850765 secrets: - name: ljtest-token-s7x8k - name: ljtestsecrt <<<<<<<<增加这个

   
   
   [root@k8s-master cka]# kubectl describe sa ljtest Name: ljtest Namespace: default Labels: <none> Annotations: <none> Image pull secrets: <none> Mountable secrets: ljtest-token-s7x8k ljtestsecrt Tokens: ljtest-token-s7x8k ljtestsecrt Events: <none>

   1 2 3 4 5 6 7 8 9 10 11

   [root@k8s-master cka]# kubectl describe sa ljtest Name:                ljtest Namespace:           default Labels:              <none> Annotations:         <none> Image pull secrets:  <none> Mountable secrets:   ljtest-token-s7x8k                      ljtestsecrt Tokens:              ljtest-token-s7x8k                      ljtestsecrt Events:              <none>

4. 创建pod，并关联这个sa
   
   [root@k8s-master cka]# cat pod-with-sa-ljtest.yaml kind: Pod apiVersion: v1 metadata: name: pod-with-sa-ljtest labels: name: pod-with-sa-ljtest spec: serviceAccount: ljtest containers: - name: nginx-sa-ljtest image: nginx

   1 2 3 4 5 6 7 8 9 10 11 12

   [root@k8s-master cka]# cat pod-with-sa-ljtest.yaml kind: Pod apiVersion: v1 metadata:   name: pod-with-sa-ljtest   labels:     name: pod-with-sa-ljtest spec:   serviceAccount: ljtest   containers:   - name: nginx-sa-ljtest     image: nginx

   
   创建完毕，会发现只是mount了系统自动产生的那个
   
   [root@k8s-master cka]# kubectl get pods pod-with-sa-ljtest -o yaml apiVersion: v1 kind: Pod metadata: creationTimestamp: 2018-08-11T09:08:51Z labels: name: pod-with-sa-ljtest name: pod-with-sa-ljtest namespace: default resourceVersion: "446503" selfLink: /api/v1/namespaces/default/pods/pod-with-sa-ljtest uid: 2a1b6688-9d46-11e8-86b0-000c29850765 spec: containers: - image: nginx imagePullPolicy: Always name: nginx-sa-ljtest resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: ljtest-token-s7x8k readOnly: true dnsPolicy: ClusterFirst nodeName: k8s-master restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: ljtest serviceAccountName: ljtest terminationGracePeriodSeconds: 30 tolerations: - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists tolerationSeconds: 300 - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 300 volumes: - name: ljtest-token-s7x8k secret: defaultMode: 420 secretName: ljtest-token-s7x8k status: conditions: - lastProbeTime: null lastTransitionTime: 2018-08-11T09:08:51Z status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: 2018-08-11T09:08:57Z status: "True" type: Ready - lastProbeTime: null lastTransitionTime: 2018-08-11T09:08:51Z status: "True" type: PodScheduled containerStatuses: - containerID: docker://7bbecc0852475ab6bcbf6dc619691909d401c3f3848fa1d325e1bf0e5fbae543 image: nginx:latest imageID: docker-pullable://nginx@sha256:d85914d547a6c92faa39ce7058bd7529baacab7e0cd4255442b04577c4d1f424 lastState: {} name: nginx-sa-ljtest ready: true restartCount: 0 state: running: startedAt: 2018-08-11T09:08:57Z hostIP: 172.16.199.100 phase: Running podIP: 10.244.0.36 qosClass: BestEffort startTime: 2018-08-11T09:08:51Z

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76

   [root@k8s-master cka]# kubectl get pods pod-with-sa-ljtest -o yaml apiVersion: v1 kind: Pod metadata:   creationTimestamp: 2018-08-11T09:08:51Z   labels:     name: pod-with-sa-ljtest   name: pod-with-sa-ljtest   namespace: default   resourceVersion: "446503"   selfLink: /api/v1/namespaces/default/pods/pod-with-sa-ljtest   uid: 2a1b6688-9d46-11e8-86b0-000c29850765 spec:   containers:   - image: nginx     imagePullPolicy: Always     name: nginx-sa-ljtest     resources: {}     terminationMessagePath: /dev/termination-log     terminationMessagePolicy: File     volumeMounts:     - mountPath: /var/run/secrets/kubernetes.io/serviceaccount       name: ljtest-token-s7x8k       readOnly: true   dnsPolicy: ClusterFirst   nodeName: k8s-master   restartPolicy: Always   schedulerName: default-scheduler   securityContext: {}   serviceAccount: ljtest   serviceAccountName: ljtest   terminationGracePeriodSeconds: 30   tolerations:   - effect: NoExecute     key: node.kubernetes.io/not-ready     operator: Exists     tolerationSeconds: 300   - effect: NoExecute     key: node.kubernetes.io/unreachable     operator: Exists     tolerationSeconds: 300   volumes:   - name: ljtest-token-s7x8k     secret:       defaultMode: 420       secretName: ljtest-token-s7x8k status:   conditions:   - lastProbeTime: null     lastTransitionTime: 2018-08-11T09:08:51Z     status: "True"     type: Initialized   - lastProbeTime: null     lastTransitionTime: 2018-08-11T09:08:57Z     status: "True"     type: Ready   - lastProbeTime: null     lastTransitionTime: 2018-08-11T09:08:51Z     status: "True"     type: PodScheduled   containerStatuses:   - containerID: docker://7bbecc0852475ab6bcbf6dc619691909d401c3f3848fa1d325e1bf0e5fbae543     image: nginx:latest     imageID: docker-pullable://nginx@sha256:d85914d547a6c92faa39ce7058bd7529baacab7e0cd4255442b04577c4d1f424     lastState: {}     name: nginx-sa-ljtest     ready: true     restartCount: 0     state:       running:         startedAt: 2018-08-11T09:08:57Z   hostIP: 172.16.199.100   phase: Running   podIP: 10.244.0.36   qosClass: BestEffort   startTime: 2018-08-11T09:08:51Z

5. 修改pod yaml文件，手工关联
   
   [root@k8s-master cka]# cat pod-with-sa-ljtest.yaml kind: Pod apiVersion: v1 metadata: name: pod-with-sa-ljtest labels: name: pod-with-sa-ljtest spec: volumes: - name: ljtestsecrtvol secret: secretName: ljtestsecrt serviceAccount: ljtest containers: - name: nginx-sa-ljtest image: nginx volumeMounts: - name: ljtestsecrtvol readOnly: true mountPath: /usr/local/www

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

   [root@k8s-master cka]# cat pod-with-sa-ljtest.yaml kind: Pod apiVersion: v1 metadata:   name: pod-with-sa-ljtest   labels:     name: pod-with-sa-ljtest spec:   volumes:   - name: ljtestsecrtvol     secret:      secretName: ljtestsecrt   serviceAccount: ljtest   containers:   - name: nginx-sa-ljtest     image: nginx     volumeMounts:     - name: ljtestsecrtvol       readOnly: true       mountPath: /usr/local/www

   
   产生的最后效果，可以看到被挂载了。
   
   [root@k8s-master cka]# kubectl get pods pod-with-sa-ljtest -o yaml apiVersion: v1 kind: Pod metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"labels":{"name":"pod-with-sa-ljtest"},"name":"pod-with-sa-ljtest","namespace":"default"},"spec":{"containers":[{"image":"nginx","name":"nginx-sa-ljtest","volumeMounts":[{"mountPath":"/usr/local/www","name":"ljtestsecrtvol","readOnly":true}]}],"serviceAccount":"ljtest","volumes":[{"name":"ljtestsecrtvol","secret":{"secretName":"ljtestsecrt"}}]}} creationTimestamp: 2018-08-11T09:27:06Z labels: name: pod-with-sa-ljtest name: pod-with-sa-ljtest namespace: default resourceVersion: "447837" selfLink: /api/v1/namespaces/default/pods/pod-with-sa-ljtest uid: b6c92928-9d48-11e8-86b0-000c29850765 spec: containers: - image: nginx imagePullPolicy: Always name: nginx-sa-ljtest resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /usr/local/www name: ljtestsecrtvol readOnly: true - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: ljtest-token-s7x8k readOnly: true dnsPolicy: ClusterFirst nodeName: k8s-master restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: ljtest serviceAccountName: ljtest terminationGracePeriodSeconds: 30 tolerations: - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists tolerationSeconds: 300 - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 300 volumes: - name: ljtestsecrtvol secret: defaultMode: 420 secretName: ljtestsecrt - name: ljtest-token-s7x8k secret: defaultMode: 420 secretName: ljtest-token-s7x8k status: conditions: - lastProbeTime: null lastTransitionTime: 2018-08-11T09:27:06Z status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: 2018-08-11T09:27:14Z status: "True" type: Ready - lastProbeTime: null lastTransitionTime: 2018-08-11T09:27:06Z status: "True" type: PodScheduled containerStatuses: - containerID: docker://44f2780069c75aacd0f0a2fae451c83608aa159d4d502547ae51161b6c06698e image: nginx:latest imageID: docker-pullable://nginx@sha256:d85914d547a6c92faa39ce7058bd7529baacab7e0cd4255442b04577c4d1f424 lastState: {} name: nginx-sa-ljtest ready: true restartCount: 0 state: running: startedAt: 2018-08-11T09:27:14Z hostIP: 172.16.199.100 phase: Running podIP: 10.244.0.37 qosClass: BestEffort startTime: 2018-08-11T09:27:06Z [root@k8s-master cka]# kubectl exec pod-with-sa-ljtest sh [root@k8s-master cka]# kubectl exec -it pod-with-sa-ljtest sh # ls /usr/local/www ca.crt namespace password token username

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90

   [root@k8s-master cka]# kubectl get pods pod-with-sa-ljtest -o yaml apiVersion: v1 kind: Pod metadata:   annotations:     kubectl.kubernetes.io/last-applied-configuration: |       {"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"labels":{"name":"pod-with-sa-ljtest"},"name":"pod-with-sa-ljtest","namespace":"default"},"spec":{"containers":[{"image":"nginx","name":"nginx-sa-ljtest","volumeMounts":[{"mountPath":"/usr/local/www","name":"ljtestsecrtvol","readOnly":true}]}],"serviceAccount":"ljtest","volumes":[{"name":"ljtestsecrtvol","secret":{"secretName":"ljtestsecrt"}}]}}   creationTimestamp: 2018-08-11T09:27:06Z   labels:     name: pod-with-sa-ljtest   name: pod-with-sa-ljtest   namespace: default   resourceVersion: "447837"   selfLink: /api/v1/namespaces/default/pods/pod-with-sa-ljtest   uid: b6c92928-9d48-11e8-86b0-000c29850765 spec:   containers:   - image: nginx     imagePullPolicy: Always     name: nginx-sa-ljtest     resources: {}     terminationMessagePath: /dev/termination-log     terminationMessagePolicy: File     volumeMounts:     - mountPath: /usr/local/www       name: ljtestsecrtvol       readOnly: true     - mountPath: /var/run/secrets/kubernetes.io/serviceaccount       name: ljtest-token-s7x8k       readOnly: true   dnsPolicy: ClusterFirst   nodeName: k8s-master   restartPolicy: Always   schedulerName: default-scheduler   securityContext: {}   serviceAccount: ljtest   serviceAccountName: ljtest   terminationGracePeriodSeconds: 30   tolerations:   - effect: NoExecute     key: node.kubernetes.io/not-ready     operator: Exists     tolerationSeconds: 300   - effect: NoExecute     key: node.kubernetes.io/unreachable     operator: Exists     tolerationSeconds: 300   volumes:   - name: ljtestsecrtvol     secret:       defaultMode: 420       secretName: ljtestsecrt   - name: ljtest-token-s7x8k     secret:       defaultMode: 420       secretName: ljtest-token-s7x8k status:   conditions:   - lastProbeTime: null     lastTransitionTime: 2018-08-11T09:27:06Z     status: "True"     type: Initialized   - lastProbeTime: null     lastTransitionTime: 2018-08-11T09:27:14Z     status: "True"     type: Ready   - lastProbeTime: null     lastTransitionTime: 2018-08-11T09:27:06Z     status: "True"     type: PodScheduled   containerStatuses:   - containerID: docker://44f2780069c75aacd0f0a2fae451c83608aa159d4d502547ae51161b6c06698e     image: nginx:latest     imageID: docker-pullable://nginx@sha256:d85914d547a6c92faa39ce7058bd7529baacab7e0cd4255442b04577c4d1f424     lastState: {}     name: nginx-sa-ljtest     ready: true     restartCount: 0     state:       running:         startedAt: 2018-08-11T09:27:14Z   hostIP: 172.16.199.100   phase: Running   podIP: 10.244.0.37   qosClass: BestEffort   startTime: 2018-08-11T09:27:06Z [root@k8s-master cka]# kubectl exec pod-with-sa-ljtest  sh [root@k8s-master cka]# kubectl exec -it pod-with-sa-ljtest  sh # ls /usr/local/www ca.crt namespace  password  token  username

   
    

参考：

https://github.com/kubernetes/kubernetes/issues/12012