Cloud Native应用交付

  • 首页
  • 关于本站
  • 个人介绍
  • Downloads
  • Repo
    • Github
    • Container
  • F5
    • F5 Python SDK
    • F5-container
    • F5-LBaaS
  • 社交
    • 联系我
    • 微信/微博
    • 公众号
    • 打赏赞助
行至水穷处 坐看云起时
Cloud Native Application Services: cnadn.net
  1. 首页
  2. 容器/k8s
  3. 正文

手工为SA创建额外secret,并挂载到pod

2018年08月11日 7714点热度 0人点赞 0条评论

默认情况下,系统会为每个servcieaccount(sa)创建一个对应的secret,这个secret里包含一个token,一般默认是ca证书。

https://v1-10.docs.kubernetes.io/docs/concepts/configuration/secret/ 文章说可以通过将sa挂载到pod上实现secret的自动挂载,这个地方其实有些问题,缺省自动产生的secret是可以自动被挂载到pod的。但是如果额外为这个sa创建的secret是不能自动挂载到pod上的(因为系统都不知道你要挂到哪里去),默认情况下pod只自动挂载sa中的第一个mountable的secret-一般也就是系统自动产生的那个secret。

测试步骤:

  1. 创建一个sa
    kubectl create sa ljtest
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    [root@k8s-master cka]# kubectl describe sa ljtest
    Name:                ljtest
    Namespace:           default
    Labels:              <none>
    Annotations:         <none>
    Image pull secrets:  <none>
    Mountable secrets:   ljtest-token-s7x8k
    Tokens:              ljtest-token-s7x8k
     
    Events:              <none>
  2. 为该sa额外创建一个secret
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    [root@k8s-master cka]# cat sa-ljtest-secert.yaml
    apiVersion: v1
    kind: Secret
    metadata:
      name: ljtestsecrt
      annotations:
        kubernetes.io/service-account.name: ljtest
    type: kubernetes.io/service-account-token
    data:
      username: YWRtaW4=
      password: MWYyZDFlMmU2N2Rm
  3. 创建完毕,这个secret不会自动关联到sa上,需要手工编辑sa kubectl edit sa ljtest
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    # Please edit the object below. Lines beginning with a '#' will be ignored,
    # and an empty file will abort the edit. If an error occurs while saving this file will be
    # reopened with the relevant failures.
    #
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      creationTimestamp: 2018-08-11T08:44:31Z
      name: ljtest
      namespace: default
      resourceVersion: "446346"
      selfLink: /api/v1/namespaces/default/serviceaccounts/ljtest
      uid: c42e7e67-9d42-11e8-86b0-000c29850765
    secrets:
    - name: ljtest-token-s7x8k
    - name: ljtestsecrt <<<<<<<<增加这个

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    [root@k8s-master cka]# kubectl describe sa ljtest
    Name:                ljtest
    Namespace:           default
    Labels:              <none>
    Annotations:         <none>
    Image pull secrets:  <none>
    Mountable secrets:   ljtest-token-s7x8k
                         ljtestsecrt
    Tokens:              ljtest-token-s7x8k
                         ljtestsecrt
    Events:              <none>
  4. 创建pod,并关联这个sa
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    [root@k8s-master cka]# cat pod-with-sa-ljtest.yaml
    kind: Pod
    apiVersion: v1
    metadata:
      name: pod-with-sa-ljtest
      labels:
        name: pod-with-sa-ljtest
    spec:
      serviceAccount: ljtest
      containers:
      - name: nginx-sa-ljtest
        image: nginx

    创建完毕,会发现只是mount了系统自动产生的那个
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    [root@k8s-master cka]# kubectl get pods pod-with-sa-ljtest -o yaml
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: 2018-08-11T09:08:51Z
      labels:
        name: pod-with-sa-ljtest
      name: pod-with-sa-ljtest
      namespace: default
      resourceVersion: "446503"
      selfLink: /api/v1/namespaces/default/pods/pod-with-sa-ljtest
      uid: 2a1b6688-9d46-11e8-86b0-000c29850765
    spec:
      containers:
      - image: nginx
        imagePullPolicy: Always
        name: nginx-sa-ljtest
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
          name: ljtest-token-s7x8k
          readOnly: true
      dnsPolicy: ClusterFirst
      nodeName: k8s-master
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: ljtest
      serviceAccountName: ljtest
      terminationGracePeriodSeconds: 30
      tolerations:
      - effect: NoExecute
        key: node.kubernetes.io/not-ready
        operator: Exists
        tolerationSeconds: 300
      - effect: NoExecute
        key: node.kubernetes.io/unreachable
        operator: Exists
        tolerationSeconds: 300
      volumes:
      - name: ljtest-token-s7x8k
        secret:
          defaultMode: 420
          secretName: ljtest-token-s7x8k
    status:
      conditions:
      - lastProbeTime: null
        lastTransitionTime: 2018-08-11T09:08:51Z
        status: "True"
        type: Initialized
      - lastProbeTime: null
        lastTransitionTime: 2018-08-11T09:08:57Z
        status: "True"
        type: Ready
      - lastProbeTime: null
        lastTransitionTime: 2018-08-11T09:08:51Z
        status: "True"
        type: PodScheduled
      containerStatuses:
      - containerID: docker://7bbecc0852475ab6bcbf6dc619691909d401c3f3848fa1d325e1bf0e5fbae543
        image: nginx:latest
        imageID: docker-pullable://nginx@sha256:d85914d547a6c92faa39ce7058bd7529baacab7e0cd4255442b04577c4d1f424
        lastState: {}
        name: nginx-sa-ljtest
        ready: true
        restartCount: 0
        state:
          running:
            startedAt: 2018-08-11T09:08:57Z
      hostIP: 172.16.199.100
      phase: Running
      podIP: 10.244.0.36
      qosClass: BestEffort
      startTime: 2018-08-11T09:08:51Z
  5. 修改pod yaml文件,手工关联
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    [root@k8s-master cka]# cat pod-with-sa-ljtest.yaml
    kind: Pod
    apiVersion: v1
    metadata:
      name: pod-with-sa-ljtest
      labels:
        name: pod-with-sa-ljtest
    spec:
      volumes:
      - name: ljtestsecrtvol
        secret:
         secretName: ljtestsecrt
      serviceAccount: ljtest
      containers:
      - name: nginx-sa-ljtest
        image: nginx
        volumeMounts:
        - name: ljtestsecrtvol
          readOnly: true
          mountPath: /usr/local/www

    产生的最后效果,可以看到被挂载了。
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    [root@k8s-master cka]# kubectl get pods pod-with-sa-ljtest -o yaml
    apiVersion: v1
    kind: Pod
    metadata:
      annotations:
        kubectl.kubernetes.io/last-applied-configuration: |
          {"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"labels":{"name":"pod-with-sa-ljtest"},"name":"pod-with-sa-ljtest","namespace":"default"},"spec":{"containers":[{"image":"nginx","name":"nginx-sa-ljtest","volumeMounts":[{"mountPath":"/usr/local/www","name":"ljtestsecrtvol","readOnly":true}]}],"serviceAccount":"ljtest","volumes":[{"name":"ljtestsecrtvol","secret":{"secretName":"ljtestsecrt"}}]}}
      creationTimestamp: 2018-08-11T09:27:06Z
      labels:
        name: pod-with-sa-ljtest
      name: pod-with-sa-ljtest
      namespace: default
      resourceVersion: "447837"
      selfLink: /api/v1/namespaces/default/pods/pod-with-sa-ljtest
      uid: b6c92928-9d48-11e8-86b0-000c29850765
    spec:
      containers:
      - image: nginx
        imagePullPolicy: Always
        name: nginx-sa-ljtest
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /usr/local/www
          name: ljtestsecrtvol
          readOnly: true
        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
          name: ljtest-token-s7x8k
          readOnly: true
      dnsPolicy: ClusterFirst
      nodeName: k8s-master
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: ljtest
      serviceAccountName: ljtest
      terminationGracePeriodSeconds: 30
      tolerations:
      - effect: NoExecute
        key: node.kubernetes.io/not-ready
        operator: Exists
        tolerationSeconds: 300
      - effect: NoExecute
        key: node.kubernetes.io/unreachable
        operator: Exists
        tolerationSeconds: 300
      volumes:
      - name: ljtestsecrtvol
        secret:
          defaultMode: 420
          secretName: ljtestsecrt
      - name: ljtest-token-s7x8k
        secret:
          defaultMode: 420
          secretName: ljtest-token-s7x8k
    status:
      conditions:
      - lastProbeTime: null
        lastTransitionTime: 2018-08-11T09:27:06Z
        status: "True"
        type: Initialized
      - lastProbeTime: null
        lastTransitionTime: 2018-08-11T09:27:14Z
        status: "True"
        type: Ready
      - lastProbeTime: null
        lastTransitionTime: 2018-08-11T09:27:06Z
        status: "True"
        type: PodScheduled
      containerStatuses:
      - containerID: docker://44f2780069c75aacd0f0a2fae451c83608aa159d4d502547ae51161b6c06698e
        image: nginx:latest
        imageID: docker-pullable://nginx@sha256:d85914d547a6c92faa39ce7058bd7529baacab7e0cd4255442b04577c4d1f424
        lastState: {}
        name: nginx-sa-ljtest
        ready: true
        restartCount: 0
        state:
          running:
            startedAt: 2018-08-11T09:27:14Z
      hostIP: 172.16.199.100
      phase: Running
      podIP: 10.244.0.37
      qosClass: BestEffort
      startTime: 2018-08-11T09:27:06Z
    [root@k8s-master cka]# kubectl exec pod-with-sa-ljtest  sh
    [root@k8s-master cka]# kubectl exec -it pod-with-sa-ljtest  sh
    # ls /usr/local/www
    ca.crt namespace  password  token  username

     

参考:

https://github.com/kubernetes/kubernetes/issues/12012

相关文章

  • configmap作为环境变量和文件同时mount到一个pod
  • kubernetes node TLS bootstrapping原理及配置
  • K8S,V1.6.7 双向TLS配置
  • kubernetes Addon之 kubedns 1.6.7 安装
  • Kubernetes 1.6.7三节点集群初始信息输出
本作品采用 知识共享署名-非商业性使用 4.0 国际许可协议 进行许可
标签: kubernetes mount sa secret volume
最后更新:2018年08月11日

纳米

linjing.io

打赏 点赞
< 上一篇
下一篇 >

文章评论

razz evil exclaim smile redface biggrin eek confused idea lol mad twisted rolleyes wink cool arrow neutral cry mrgreen drooling persevering
取消回复

这个站点使用 Akismet 来减少垃圾评论。了解你的评论数据如何被处理。

页面AI聊天助手

纳米

linjing.io

☁️迈向Cloud Native ADC ☁️

认证获得:
TOGAF: ID 152743
Kubernetes: CKA #664
Microsoft: MCSE MCDBA
Cisco: CCNP
Juniper: JNCIS
F5:
F5 Certified Solution Expert, Security
F5 Certified Technology Specialist, LTM/GTM/APM/ASM
F5 Certified BIG-IP Administrator
  • 点击查看本博技术要素列表
  • 归档
    分类
    • AI
    • Automation
    • Avi Networks
    • Cisco ACI
    • CISCO资源
    • F5 with ELK
    • F5-Tech tips
    • F5技术
    • Juniper
    • Linux
    • NGINX
    • SDN
    • ServiceMesh
    • WEB编程
    • WINDOWS相关
    • 业界文章
    • 交换机技术
    • 化云为雨/Openstack
    • 协议原理
    • 容器/k8s
    • 我的工作
    • 我的生活
    • 网站技术
    • 路由器技术
    • 项目案例
    标签聚合
    nginx irule istio k8s gtm docker flannel openstack envoy F5 DNS neutron api bigip network
    最近评论
    汤姆 发布于 8 个月前(09月10日) 嗨,楼主,里面的json怎么下载啊,怎么收费啊?
    汤姆 发布于 8 个月前(09月09日) 大佬,kib的页面可以分享下吗?谢谢
    zhangsha 发布于 1 年前(05月12日) 资料发给我下,谢谢纳米同志!!!!lyx895@qq.com
    李成才 发布于 1 年前(01月02日) 麻烦了,谢谢大佬
    纳米 发布于 1 年前(01月02日) 你好。是的,因为以前下载系统插件在一次升级后将所有的下载生成信息全弄丢了。所以不少文件无法下载。DN...
    浏览次数
    • Downloads - 183,841 views
    • 联系我 - 118,966 views
    • 迄今为止最全最深入的BIGIP-DNS/GTM原理及培训资料 - 116,891 views
    • Github - 103,764 views
    • F5常见log日志解释 - 79,823 views
    • 从传统ADC迈向CLOUD NATIVE ADC - 下载 - 74,930 views
    • Sniffer Pro 4 70 530抓包软件 中文版+视频教程 - 74,320 views
    • 迄今为止最全最深入的BIGIP-DNS/GTM原理及培训资料 - 67,770 views
    • 关于本站 - 61,021 views
    • 这篇文档您是否感兴趣 - 55,537 views
    链接表
    • F5SE创新
    • Jimmy Song‘s Blog
    • SDNlab
    • Service Mesh社区
    • 三斗室
    • 个人profile
    • 云原生社区

    COPYRIGHT © 2023 Cloud Native 应用交付. ALL RIGHTS RESERVED.

    Theme Kratos Made By Seaton Jiang

    京ICP备14048088号-1

    京公网安备 11010502041506号