Bu sayfa henüz yerel dilinizde mevcut değildir. Daha fazla dil seçeneği eklemek için yoğun bir şekilde çalışıyoruz. Desteğiniz için teşekkür ederiz.

Easily Switch Between Product Types

You can click the drop-down list box to switch between different product types.

Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
Software Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

Service Accounts

Updated on 2024-12-11 GMT+08:00

All access requests to Kubernetes resources are processed by the API Server, regardless of whether the requests are from an external system. Therefore, the requests must be authenticated and authorized before they are sent to Kubernetes resources.

  • Authentication: authenticates user identities. Kubernetes uses different authentication rules for external and internal service accounts. For details, see Authentication and ServiceAccounts.
  • Authorization: controls users' access to resources. Role-based access control (RBAC) is used to authorize users to access resources. For details, see RBAC.
Figure 1 Authentication and authorization of the API Server

Authentication and ServiceAccounts

Kubernetes users are classified as service accounts (ServiceAccounts) and common accounts.

  • A ServiceAccount is bound to a namespace and associated with a set of credentials. When a pod is created, the token is mounted to the pod so that the pod can be called by the API server.
  • Kubernetes does not come with pre-built objects for managing common accounts. Instead, external services are used for this purpose. For example, CCE users are managed through Identity and Access Management (IAM).

ServiceAccounts in Kubernetes are resources that exist at the namespace level, just like pods and ConfigMaps. When a namespace is created, the system automatically generates a ServiceAccount named default in the namespace.

You can run the following command to check ServiceAccounts:

kubectl get sa

NAME     SECRETS   AGE
default  1         30d
NOTE:
  • In clusters earlier than v1.21, a token is obtained by mounting the secret of the service account to a pod. Tokens obtained this way are permanent. This approach is no longer recommended starting from version 1.21. Service accounts will stop auto creating secrets in clusters from version 1.25.

    In clusters of version 1.21 or later, you can use the TokenRequest API to obtain the token and use the projected volume to mount the token to the pod. Such tokens are valid for a fixed period. When the mounting pod is deleted, the token automatically becomes invalid. For details, see Service Account Token Security Improvement.

  • If you need a token that never expires, you can also manually manage secrets for service accounts. Although a permanent service account token can be manually created, you are advised to use a short-lived token by calling the TokenRequest API for higher security.

In clusters earlier than 1.25, a secret is automatically created for each ServiceAccount. In clusters 1.25 or later, a secret is not automatically created for each ServiceAccount. The following describes how to check the statuses of ServiceAccounts in clusters earlier than 1.25 and in clusters 1.25 or later.

  • In a cluster earlier than 1.25, run the following command to check the status of the default ServiceAccount.

    kubectl describe sa default

    If information similar to the following is displayed, the default-token-vssmw secret is automatically created for the ServiceAccount.

    Name:                  default
    Namespace:             default
    Labels:                <none>
    Annotations:           <none>
    Image pull secrets:    <none>
    Mountable secrets:     default-token-vssmw
    Tokens:                default-token-vssmw
    Events:                <none>
  • In a cluster 1.25 or later, run the following command to check the status of the default ServiceAccount.

    kubectl describe sa default

    According to the command output, no secret is automatically created for the default ServiceAccount.
    Name:                     default
    Namespace:                default 
    Labels:                   <none>
    Annotations:              <none>
    Image pull secrets:       <none>
    Mountable secrets:        <none>
    Tokens:                   <none>
    Events:                   <none>

When defining a pod, you can assign a ServiceAccount to it by specifying the account name in the file. If no account name is specified, the default ServiceAccount will be used. When receiving a request with an authentication token, the API Server uses the token to check whether the ServiceAccount associated with the client that sends the request allows the request to be executed.

Creating a ServiceAccount

  1. Take a cluster 1.29 as an example. Run the following command to create a ServiceAccount in the default namespace:

    kubectl create serviceaccount sa-example

    serviceaccount/sa-example created

    Run the following command to check whether sa-example has been created. If sa-example is displayed in the NAME column, it has been created.

    kubectl get sa

    NAME            SECRETS   AGE
    default         1         30d
    sa-example      0         2s

    Because the cluster version used in this case is later than 1.25, the ServiceAccount will not have a secret created automatically. To check if a secret was created, use the following command to view the ServiceAccount details. If the output shows none for Mountable secrets and Tokens, then no secret was automatically created for the ServiceAccount.

    kubectl describe sa sa-example

    Name:                   sa-example
    Namespace:              default
    Labels:                 <none>
    Annotations:            <none>
    Image pull secrets:     <none>
    Mountable secrets:      <none>
    Tokens:                 <none>
    Events:                 <none>

  2. In this example, manually manage the secret to obtain a token that never expires. Use the following command to manually create a secret named sa-example-token and associate it with the sa-example ServiceAccount.

    kubectl apply -f - <<EOF
    apiVersion: v1 
    kind: Secret 
    metadata:
      namespace: default   
      name: sa-example-token   
      annotations:     
        kubernetes.io/service-account.name: sa-example 
    type: kubernetes.io/service-account-token 
    EOF

  3. Check whether sa-example-token has been created. If sa-example-token is present in secrets of the default namespace, then it has been created.

    kubectl get secrets

    NAME                        TYPE                                    DATA        AGE
    default-secret              kubernetes.io/dockerconfigjson          1           6d20h
    paas.elb                    cfe/secure-opaque                       1           6d20h
    sa-example-token            kubernetes.io/service-account-token     3           16s

    Check the secret content. You can find the ca.crt, namespace, and token data.

    kubectl describe secret sa-example-token

    Name:         sa-example-token
    Namespace:    default
    Labels:       <none>
    Annotations:  kubernetes.io/service-account.name: sa-example
                  kubernetes.io/service-account.uid: 4b7d3e19-1dfe-4ee0-bb49-4e2e0c3c5e25
    
    Type:  kubernetes.io/service-account-token
    
    Data
    ====
    ca.crt:     1123 bytes
    namespace:  7 bytes
    token:      eyJhbGciOiJSU...

  4. Check whether the ServiceAccount has been associated with the new secret, meaning if the ServiceAccount has obtained the token. The command output shows that sa-example is associated with sa-example-token.

    kubectl describe sa sa-example

    Name:                 sa-example
    Namespace:            default
    Labels:               <none>
    Annotations:          <none>
    Image pull secrets:   <none>
    Mountable secrets:    <none>
    Tokens:               sa-example-token
    Events:               <none>

Using a ServiceAccount in a Pod

It is convenient to use a ServiceAccount in a pod. You only need to specify the name of the ServiceAccount. The following uses nginx:latest as an example to describe how to use a ServiceAccount in a pod.

  1. Create a description file named sa-pod.yaml. mysql.yaml is an example file name. You can rename it as required.

    vim sa-pod.yaml

    NOTICE:

    To enable the pod to use the token from the manually created secret, you must mount the secret to the container. For details about how to mount the secret, see the code in bold in the description file.

    The file content is as follows:

    apiVersion: v1
    kind: Pod
    metadata:
      name: sa-pod
    spec:
      serviceAccountName: sa-example                  #  Specify sa-example as the ServiceAccount used by the pod.
      imagePullSecrets:
      - name: default-secret
      containers:
      - image: nginx:latest
        name: container-0
        resources:
          limits:
            cpu: 100m
            memory: 200Mi
          requests:
            cpu: 100m
            memory: 200Mi
        volumeMounts:                             #  Mount the storage volume named secret-volume to the pod.
        - name: secret-volume
          readOnly: true                          #  The mounted storage volume is read-only.
          mountPath: "/etc/secret-volume"         #  Mount path of the storage volume in the container, which can be customized
      volumes:                                    #  Define a secret volume that can be used by the pod.
      - name: secret-volume                       #   Name of the secret volume, which can be customized
        secret:                                   #  Set the type of the storage volume to Secret.
          secretName: sa-example-token            #  Mount sa-example-token to the defined storage volume.

  2. Create a pod and view its details. You can see that sa-example-token is mounted to the pod. The pod uses the token for authentication.

    kubectl create -f sa-pod.yaml

    The command output is as follows:

    pod/sa-pod created

    Use the following command to check whether the pod has been created:

    kubectl get pod

    In the command output, if sa-pod is in the Running state, the pod has been created.

    NAME                     READY   STATUS              RESTARTS   AGE
    sa-pod               1/1     running             0          5s

  3. View the sa-pod details and check whether sa-example-token has been mounted to the pod.

    kubectl describe pod sa-pod

    The command output is as follows:

    ...
    Containers:
      container-0:
        Container ID:   
        Image:          nginx:latest
        Image ID:       
        Port:           <none>
        Host Port:      <none>
        State:          Waiting
          Reason:       ImagePullBackOff
        Ready:          False
        Restart Count:  0
        Limits:
          cpu:     100m
          memory:  200Mi
        Requests:
          cpu:        100m
          memory:     200Mi
        Environment:  <none>
        Mounts:
           #  The sa-example-token has been mounted to the pod, and the pod can use the token for authentication.
          /etc/secret-volume from secret-volume (ro)                                 
           #  Automatically mounted TokenRequest, which can provide a short-term token
          /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-2s4sw (ro)  
    ...

    You can also run the following command to view the corresponding files in the pod. (The path after cd is the same as the mount path of secret-volume.)

    kubectl exec -it sa-pod -- /bin/sh

    cd /etc/secret-volume

    ls

    The command output is as follows:

    ca.crt     namespace  token

  4. Verify that the manually created ServiceAccount token can work.

    1. In a Kubernetes cluster, a Service named kubernetes is created for the API Server by default. Pods can be accessed through this Service. After exiting the pod by pressing Ctrl+D, you can run the following command to view the detailed information about the Service:

      kubectl get svc

      The command output is as follows:

      NAME           TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)          AGE
      kubernetes     ClusterIP   10.247.0.1       <none>        443/TCP          34
    2. Access the pod and check whether the pod can access pod resources in the cluster through the API Server without using the token.

      kubectl exec -it sa-pod -- /bin/sh

      curl https://10.247.0.1:443/api/v1/namespaces/default/pods

      If information similar to the following is displayed, the pod cannot directly access pod resources in the cluster through the API Server.

      curl: (60) SSL certificate problem: unable to get local issuer certificate
      More details here: https://curl.se/docs/sslcerts.html
      
      curl failed to verify the legitimacy of the server and therefore could not
      establish a secure connection to it. To learn more about this situation and
      how to fix it, please visit the web page mentioned above.
    3. Configure the environment variables of ca.crt. Add the path of ca.crt to the CURL_CA_BUNDLE environment variable, which instructs the curl command to use the certificate file as the trust anchor.

      export CURL_CA_BUNDLE = /etc/secret-volume/ca.crt

    4. Add the token content to TOKEN.

      TOKEN=$(cat /etc/secret-volume/token)

      Check whether TOKEN has been configured.

      echo $TOKEN

      If information similar to the following is displayed, the TOKEN has been configured as expected.

      eyJhbGciOiJSUzI1NiIsImtpZCI6I...
    5. Access the API Server using the configured TOKEN.

      curl -H "Authorization: Bearer $TOKEN" https://10.247.0.1:443/api/v1/namespaces/default/pods

      If information similar to the following is displayed, it means that the pod has passed authentication and the manually created ServiceAccount token is in effect. (If the API Server returns cannot get path \"/api/v1/namespaces/default/pods\"", the pod does not have the access permissions. The pod can access the API Server only after being authorized. For details about the authorization mechanism, see RBAC.)

      "kind": "PodList",
        "apiVersion": "v1",
        "metadata": {
          "resourceVersion": "13267712"
        },
        "items": [
          {
            "metadata": {
              "name": "hpa-example-77b9b446f6-nc7b6",
      ...

Sitemizi ve deneyiminizi iyileştirmek için çerezleri kullanırız. Sitemizde tarama yapmaya devam ederek çerez politikamızı kabul etmiş olursunuz. Daha fazla bilgi edinin

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback