Default Service Account
kubectl create namespace serviceaccount
Shell
복사
kubectl run nginx-default-sa --image=nginx -n serviceaccount
Shell
복사
kubectl get pods -n serviceaccount
Shell
복사
•
SA Token 은 기본값으로 "/var/run/secrets/kubernetes.io/serviceaccount/token" 경로에 저장
kubectl exec -it nginx-default-sa -n serviceaccount -- cat /var/run/secrets/kubernetes.io/serviceaccount/token
Shell
복사
kubectl exec -it nginx-default-sa -n serviceaccount -- /bin/bash
Shell
복사
APISERVER=https://kubernetes.default.svc
NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
CACERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api
Shell
복사
•
Default Service Account Token 에는 Pod 정보를 호출할 수 있는 권한이 없는 것을 확인
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/serviceaccount/pods
Shell
복사
New Service Account
kubectl create sa security-sa -n serviceaccount
Shell
복사
cat << EOF | kubectl apply -f - -n serviceaccount
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: security-sa-role
rules:
- apiGroups:
- ""
- "apps"
- "batch"
- "extensions"
resources:
- "pods"
verbs:
- "describe"
- "get"
- "list"
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: security-sa-role-binding
subjects:
- kind: ServiceAccount
name: security-sa
namespace: serviceaccount
roleRef:
kind: Role
name: security-sa-role
apiGroup: rbac.authorization.k8s.io
EOF
Shell
복사
cat > /tmp/nginx-security-sa.yaml <<EOF
apiVersion: v1
kind: Pod
metadata:
name: nginx-security-sa
labels:
app: security-sa
namespace: serviceaccount
spec:
serviceAccountName: security-sa
containers:
- name: security-sa
image: nginx
EOF
Shell
복사
kubectl exec -it nginx-security-sa -n serviceaccount -- /bin/bash
Shell
복사
•
Pod 정보가 호출되는 모습 확인
APISERVER=https://kubernetes.default.svc
NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
CACERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/serviceaccount/pods
Shell
복사
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/serviceaccount/deployments
Shell
복사
kubeconfig 에서 Service Account 사용하기
cat << EOF | kubectl apply -f - -n serviceaccount
apiVersion: v1
kind: Secret
metadata:
name: security-sa-secret
namespace: serviceaccount
annotations:
kubernetes.io/service-account.name: security-sa
type: kubernetes.io/service-account-token
EOF
Shell
복사
kubectl get secret security-sa-secret -n serviceaccount -o yaml
Shell
복사
kubectl config view
Shell
복사
CLUSTER=$(kubectl config view --minify -o jsonpath='{.clusters[].name}')
TOKEN=$(kubectl get secret security-sa-secret -n serviceaccount -o jsonpath='{.data.token}' | base64 -d)
Shell
복사
kubectl config set-credentials security-sa -n serviceaccount --token=$TOKEN
Shell
복사
kubectl config view
Shell
복사
•
아래와 같이 "*" 가 "eks-security" context 에 선택되어 있는 것을 확인
kubectl config get-contexts
Shell
복사
kubectl config set-context security-sa-context --cluster=$CLUSTER --user=security-sa
kubectl config use-context security-sa-context
Shell
복사
kubectl config get-contexts
Shell
복사
kubectl get pods -n serviceaccount
Shell
복사
•
API 호출 되는 모습 확인
kubectl get deployments -n serviceaccount
Shell
복사