y4h2 commented 2 years ago

在Kubernetes中，ServiceAccount主要用于给Pod提供权限。

ServiceAccount可以和role通过RoleBinding绑定在一起

y4h2 commented 2 years ago

Configure Service Accounts for Pods

Default Service Account

如果什么都不配置，会默认使用Default ServiceAccount

Manually create a service account API token

通过annotation可以把secret绑定到service account上

kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: build-robot-secret
  annotations:
    kubernetes.io/service-account.name: build-robot
type: kubernetes.io/service-account-token
EOF

Add image pull secret to service account

在service account中可以配置image pull secrets

apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: 2015-08-07T22:02:39Z
  name: default
  namespace: default
  uid: 052fb0f4-3d50-11e5-b066-42010af0d7b6
imagePullSecrets:
- name: myregistrykey

y4h2 commented 2 years ago

Managing Service Accounts

理解User Account和Service Account的区别

User account is for human, service account is for processes running in pods.
User account是global的， service account是基于namespace的
user account的管理更为复杂， service account更加轻便

Service Account Automation

A ServiceAccount admission controller
A Token controller
A ServiceAccount controller

y4h2 / personal-notes

Kubernetes ServiceAccount #35

Default Service Account

Manually create a service account API token

Add image pull secret to service account

Managing Service Accounts

Service Account Automation