{"id":17436,"date":"2025-05-26T10:38:12","date_gmt":"2025-05-26T02:38:12","guid":{"rendered":"https:\/\/92it.top\/?p=17436"},"modified":"2025-08-15T14:25:04","modified_gmt":"2025-08-15T06:25:04","slug":"kubernetesk8s-service-accounts-%e4%bb%8b%e7%bb%8d","status":"publish","type":"post","link":"https:\/\/92it.top\/?p=17436","title":{"rendered":"\ud83c\udf40Kubernetes(k8s) Service Accounts \u4ecb\u7ecd"},"content":{"rendered":"\n<p>\u5728 Kubernetes\uff08K8s\uff09\u4e2d\uff0c<strong>Service Account\uff08\u670d\u52a1\u8d26\u6237\uff09<\/strong>\u00a0\u662f\u4e00\u79cd\u7528\u4e8e\u00a0<strong>\u4e3a Pod \u4e2d\u7684\u8fdb\u7a0b\u63d0\u4f9b\u8eab\u4efd\u8ba4\u8bc1<\/strong>\u00a0\u7684\u673a\u5236\u3002\u5b83\u5141\u8bb8 Pod \u5185\u7684\u5e94\u7528\u5b89\u5168\u5730\u8bbf\u95ee Kubernetes API \u6216\u5916\u90e8\u670d\u52a1\uff0c\u662f\u5b9e\u73b0\u96c6\u7fa4\u5185\u670d\u52a1\u95f4\u8ba4\u8bc1\u548c\u6388\u6743\u7684\u6838\u5fc3\u7ec4\u4ef6\u3002<\/p>\n\n\n\n<p><strong>\u4e00\u3001Service Account \u7684\u6838\u5fc3\u4f5c\u7528<\/strong><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<ol>\n<li><strong>\u8eab\u4efd\u6807\u8bc6<\/strong>\n<ul>\n<li>\u4e3a Pod \u63d0\u4f9b\u552f\u4e00\u7684\u8eab\u4efd\u6807\u8bc6\uff0c\u7c7b\u4f3c\u4e8e\u64cd\u4f5c\u7cfb\u7edf\u4e2d\u7684\u7528\u6237\u8d26\u6237\uff0c\u4f46\u4e13\u95e8\u7528\u4e8e\u670d\u52a1\u548c\u8fdb\u7a0b\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>API \u8bbf\u95ee\u51ed\u8bc1<\/strong>\n<ul>\n<li>\u81ea\u52a8\u751f\u6210\u5e76\u6302\u8f7d\u00a0<strong>\u4ee4\u724c\uff08Token\uff09<\/strong>\u00a0\u5230 Pod \u4e2d\uff0c\u4f7f Pod \u5185\u7684\u5e94\u7528\u53ef\u4ee5\u5b89\u5168\u5730\u8c03\u7528 Kubernetes API\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>\u6743\u9650\u63a7\u5236<\/strong>\n<ul>\n<li>\u901a\u8fc7\u00a0<strong>RoleBinding<\/strong>\u00a0\u548c\u00a0<strong>ClusterRoleBinding<\/strong>\u00a0\u4e0e\u00a0<strong>RBAC\uff08\u57fa\u4e8e\u89d2\u8272\u7684\u8bbf\u95ee\u63a7\u5236\uff09<\/strong>\u00a0\u7ed3\u5408\uff0c\u7cbe\u786e\u63a7\u5236 Pod \u7684\u6743\u9650\u8303\u56f4\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p><strong>\u4e8c\u3001Service Account \u7684\u5173\u952e\u6982\u5ff5<\/strong><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>1. \u9ed8\u8ba4 Service Account<\/strong><\/p>\n\n\n\n<p>\u6bcf\u4e2a\u547d\u540d\u7a7a\u95f4\u90fd\u4f1a\u81ea\u52a8\u521b\u5efa\u4e00\u4e2a\u540d\u4e3a&nbsp;<code>default<\/code>&nbsp;\u7684 Service Account\u3002\u5982\u679c Pod \u672a\u663e\u5f0f\u6307\u5b9a Service Account\uff0c\u5c06\u81ea\u52a8\u4f7f\u7528\u8be5\u9ed8\u8ba4\u8d26\u6237\uff1a<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">apiVersion: v1\nkind: Pod\nmetadata:\n  name: my-pod\nspec:\n  containers:\n  - name: my-container\n    image: nginx\n  # \u672a\u6307\u5b9a serviceAccountName\uff0c\u9ed8\u8ba4\u4f7f\u7528 default<\/pre>\n\n\n\n<p><strong>2. \u81ea\u5b9a\u4e49 Service Account<\/strong><\/p>\n\n\n\n<p>\u53ef\u521b\u5efa\u81ea\u5b9a\u4e49 Service Account \u5e76\u5206\u914d\u7279\u5b9a\u6743\u9650\uff1a<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">apiVersion: v1\nkind: ServiceAccount\nmetadata:\n  name: my-service-account  # \u81ea\u5b9a\u4e49\u540d\u79f0\n  namespace: default<\/pre>\n\n\n\n<p><strong>3. Token \u81ea\u52a8\u6302\u8f7d<\/strong><\/p>\n\n\n\n<p>\u5f53 Pod \u4f7f\u7528 Service Account \u65f6\uff0cKubernetes \u4f1a\u81ea\u52a8\u5c06 Token \u6302\u8f7d\u5230 Pod \u5185\u7684&nbsp;<code>\/var\/run\/secrets\/kubernetes.io\/serviceaccount<\/code>&nbsp;\u8def\u5f84\u4e0b\uff1a<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">\/var\/run\/secrets\/kubernetes.io\/serviceaccount\/\n\u251c\u2500\u2500 ca.crt       # API\u670d\u52a1\u5668\u7684CA\u8bc1\u4e66\n\u251c\u2500\u2500 namespace    # \u5f53\u524d\u547d\u540d\u7a7a\u95f4\u540d\u79f0\n\u2514\u2500\u2500 token        # \u7528\u4e8e\u8eab\u4efd\u9a8c\u8bc1\u7684\u4ee4\u724c<\/pre>\n\n\n\n<p><strong>\u4e09\u3001Service Account \u4e0e RBAC \u7684\u7ed3\u5408<\/strong><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>\u901a\u8fc7\u00a0<strong>Role<\/strong>\u00a0\u548c\u00a0<strong>ClusterRole<\/strong>\u00a0\u5b9a\u4e49\u6743\u9650\uff0c\u518d\u901a\u8fc7\u00a0<strong>RoleBinding<\/strong>\u00a0\u548c\u00a0<strong>ClusterRoleBinding<\/strong>\u00a0\u5c06\u6743\u9650\u7ed1\u5b9a\u5230 Service Account\uff1a<\/p>\n\n\n\n<p>\u793a\u4f8b\uff1a\u6388\u4e88 Service Account \u8bfb\u53d6 Pod \u7684\u6743\u9650<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\"># 1. \u5b9a\u4e49 Role\uff08\u547d\u540d\u7a7a\u95f4\u7ea7\u522b\u6743\u9650\uff09\napiVersion: rbac.authorization.k8s.io\/v1\nkind: Role\nmetadata:\n  name: pod-reader\nrules:\n- apiGroups: [\"\"]\n  resources: [\"pods\"]\n  verbs: [\"get\", \"list\", \"watch\"]\n\n# 2. \u5c06 Role \u7ed1\u5b9a\u5230 Service Account\napiVersion: rbac.authorization.k8s.io\/v1\nkind: RoleBinding\nmetadata:\n  name: read-pods\nsubjects:\n- kind: ServiceAccount\n  name: my-service-account\n  namespace: default\nroleRef:\n  kind: Role\n  name: pod-reader\n  apiGroup: rbac.authorization.k8s.io<\/pre>\n\n\n\n<p><strong>\u56db\u3001Service Account \u7684\u4f7f\u7528\u573a\u666f<\/strong><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<ol>\n<li><strong>Pod \u8bbf\u95ee Kubernetes API<\/strong>\n<ul>\n<li>\u4f8b\u5982\uff0c\u76d1\u63a7\u7cfb\u7edf\u7684 Pod \u9700\u8981\u67e5\u8be2\u96c6\u7fa4\u4e2d\u7684\u5176\u4ed6 Pod \u72b6\u6001\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>\u5916\u90e8\u670d\u52a1\u8ba4\u8bc1<\/strong>\n<ul>\n<li>Pod \u5185\u7684\u5e94\u7528\u9700\u8981\u8c03\u7528\u5916\u90e8\u670d\u52a1\uff08\u5982 AWS S3\u3001GCP Storage\uff09\uff0c\u4f7f\u7528 Service Account \u4ee4\u724c\u8fdb\u884c\u8ba4\u8bc1\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>CI\/CD \u6d41\u6c34\u7ebf<\/strong>\n<ul>\n<li>\u81ea\u52a8\u5316\u5de5\u5177\uff08\u5982 Jenkins\u3001GitLab Runner\uff09\u5728\u96c6\u7fa4\u5185\u8fd0\u884c\u65f6\uff0c\u4f7f\u7528 Service Account \u6267\u884c\u90e8\u7f72\u64cd\u4f5c\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>\u591a\u79df\u6237\u9694\u79bb<\/strong>\n<ul>\n<li>\u4e0d\u540c\u79df\u6237\u7684\u5e94\u7528\u4f7f\u7528\u72ec\u7acb\u7684 Service Account\uff0c\u901a\u8fc7 RBAC \u9650\u5236\u8bbf\u95ee\u8303\u56f4\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p><strong>\u4e94\u3001Service Account \u7684\u914d\u7f6e\u4e0e\u7ba1\u7406<\/strong><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>1. \u521b\u5efa\u81ea\u5b9a\u4e49 Service Account<\/strong><\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">kubectl create serviceaccount my-service-account\n<\/pre>\n\n\n\n<p><strong>2. \u4e3a Pod \u6307\u5b9a Service Account<\/strong><\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">apiVersion: v1\nkind: Pod\nmetadata:\n  name: my-pod\nspec:\n  serviceAccountName: my-service-account  # \u6307\u5b9a\u4f7f\u7528\u7684 Service Account\n  containers:\n  - name: my-container\n    image: nginx<\/pre>\n\n\n\n<p><strong>3. \u67e5\u770b Service Account \u8be6\u60c5<\/strong><\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">kubectl describe serviceaccount my-service-account<\/pre>\n\n\n\n<p><strong>\u516d\u3001\u6700\u4f73\u5b9e\u8df5<\/strong><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<ol>\n<li><strong>\u6700\u5c0f\u6743\u9650\u539f\u5219<\/strong>\n<ul>\n<li>\u4e3a\u6bcf\u4e2a\u5e94\u7528\u521b\u5efa\u4e13\u7528\u7684 Service Account\uff0c\u5e76\u4ec5\u6388\u4e88\u5fc5\u8981\u7684\u6743\u9650\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>\u907f\u514d\u4f7f\u7528\u9ed8\u8ba4 Service Account<\/strong>\n<ul>\n<li>\u9ed8\u8ba4\u8d26\u6237\u6743\u9650\u53ef\u80fd\u8fc7\u5927\uff0c\u5efa\u8bae\u4e3a\u6bcf\u4e2a Pod \u663e\u5f0f\u6307\u5b9a Service Account\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>\u4f7f\u7528 Token \u5377\u6295\u5f71<\/strong>\n<ul>\n<li>\u5bf9\u4e8e K8s 1.22+\uff0c\u4f18\u5148\u4f7f\u7528\u00a0<code>projected<\/code>\u00a0\u5377\u6302\u8f7d\u77ed\u671f\u4ee4\u724c\uff0c\u63d0\u9ad8\u5b89\u5168\u6027\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>\u5b9a\u671f\u8f6e\u6362 Token<\/strong>\n<ul>\n<li>\u4e3a Service Account \u914d\u7f6e\u81ea\u52a8\u8f6e\u6362\u673a\u5236\uff0c\u907f\u514d\u957f\u671f\u4f7f\u7528\u56fa\u5b9a\u4ee4\u724c\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>\u76d1\u63a7\u5f02\u5e38\u8bbf\u95ee<\/strong>\n<ul>\n<li>\u901a\u8fc7\u5ba1\u8ba1\u65e5\u5fd7\u76d1\u63a7 Service Account \u7684 API \u8bbf\u95ee\u884c\u4e3a\uff0c\u53ca\u65f6\u53d1\u73b0\u5f02\u5e38\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p><strong>\u4e03\u3001Service Account vs User Account<\/strong><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th><strong>\u7279\u6027<\/strong><\/th><th><strong>Service Account<\/strong><\/th><th><strong>User Account<\/strong><\/th><\/tr><\/thead><tbody><tr><td><strong>\u7528\u9014<\/strong><\/td><td>\u4e3a Pod \u4e2d\u7684\u8fdb\u7a0b\u63d0\u4f9b\u8eab\u4efd<\/td><td>\u4f9b\u4eba\u7c7b\u7528\u6237\uff08\u5982\u7ba1\u7406\u5458\uff09\u4f7f\u7528<\/td><\/tr><tr><td><strong>\u7ba1\u7406\u65b9\u5f0f<\/strong><\/td><td>K8s API \u81ea\u52a8\u7ba1\u7406<\/td><td>\u5916\u90e8\u8eab\u4efd\u7cfb\u7edf\uff08\u5982 LDAP\u3001OIDC\uff09\u7ba1\u7406<\/td><\/tr><tr><td><strong>\u4f5c\u7528\u8303\u56f4<\/strong><\/td><td>\u547d\u540d\u7a7a\u95f4\u7ea7\u522b\uff08\u9ed8\u8ba4\uff09\u6216\u96c6\u7fa4\u7ea7\u522b<\/td><td>\u96c6\u7fa4\u5168\u5c40<\/td><\/tr><tr><td><strong>\u4ee4\u724c\u751f\u547d\u5468\u671f<\/strong><\/td><td>\u81ea\u52a8\u751f\u6210\uff0c\u53ef\u914d\u7f6e\u77ed\u671f\u6709\u6548\u671f<\/td><td>\u901a\u5e38\u957f\u671f\u6709\u6548\uff0c\u9700\u624b\u52a8\u8f6e\u6362<\/td><\/tr><tr><td><strong>\u4f7f\u7528\u573a\u666f<\/strong><\/td><td>\u670d\u52a1\u95f4\u8ba4\u8bc1\u3001\u81ea\u52a8\u5316\u5de5\u5177<\/td><td>\u96c6\u7fa4\u7ba1\u7406\u3001\u4eba\u5de5\u64cd\u4f5c<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>\u516b\u3001\u603b\u7ed3<\/strong><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Service Account \u662f Kubernetes \u4e2d\u5b9e\u73b0\u670d\u52a1\u95f4\u8ba4\u8bc1\u548c\u6388\u6743\u7684\u6838\u5fc3\u673a\u5236\uff0c\u901a\u8fc7\u4e3a Pod \u63d0\u4f9b\u8eab\u4efd\u6807\u8bc6\u548c API \u8bbf\u95ee\u6743\u9650\uff0c\u786e\u4fdd\u96c6\u7fa4\u5185\u670d\u52a1\u7684\u5b89\u5168\u901a\u4fe1\u3002\u5408\u7406\u914d\u7f6e Service Account \u5e76\u7ed3\u5408 RBAC \u7b56\u7565\uff0c\u662f\u6784\u5efa\u5b89\u5168\u3001\u53ef\u6269\u5c55\u7684\u4e91\u539f\u751f\u5e94\u7528\u7684\u5173\u952e\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u5728 Kubernetes\uff08K8s\uff09\u4e2d\uff0cService Account\uff08\u670d\u52a1\u8d26\u6237\uff09\u00a0\u662f\u4e00\u79cd\u7528\u4e8e\u00a0\u4e3a Pod \u4e2d\u7684 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"_links":{"self":[{"href":"https:\/\/92it.top\/index.php?rest_route=\/wp\/v2\/posts\/17436"}],"collection":[{"href":"https:\/\/92it.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/92it.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/92it.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/92it.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=17436"}],"version-history":[{"count":2,"href":"https:\/\/92it.top\/index.php?rest_route=\/wp\/v2\/posts\/17436\/revisions"}],"predecessor-version":[{"id":19182,"href":"https:\/\/92it.top\/index.php?rest_route=\/wp\/v2\/posts\/17436\/revisions\/19182"}],"wp:attachment":[{"href":"https:\/\/92it.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=17436"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/92it.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=17436"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/92it.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=17436"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}