背景

在kubernetes容器中使用kubectl客户端获取kubernetes集群中的资源信息或者是执行一些脚本。

kubernetes中RBAC机制

image.png

1、创建subject service account资源：

kubectl create serviceaccount <service_account_name> -n namespace

比如：

kubectl create serviceaccount initdb -n kube-system

还可以通过yaml的方式创建service account：

apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: default
  name: example

查看创建好的service account，可以看到会自动创建一个secret，secret，就是这个 ServiceAccount 对应的、用来跟 APIServer 进行交互的授权文件，我们一般称它为：Token。Token 文件的内容一般是证书或者密码，它以一个 Secret 对象的方式保存在 Etcd 当中

apiVersion: v1
kind: ServiceAccount
metadata:
  name: example
  namespace: default
  resourceVersion: "6234756"
  selfLink: /api/v1/namespaces/default/serviceaccounts/example
  uid: 34a93e41-83b5-4cab-ba95-6859a7e57da7
secrets:
- name: example-token-fplk6

可以查看secret的内容，里面包含了证书：

apiVersion: v1
data:
  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJek1ESXlOekE1TURBME5Wb1hEVE16TURJeU5EQTVNREEwTlZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTzdLCjRoY2JaN2cvZWVLNXlSYU1JeVhOQitjSGdGOHhWL1prYm43NzlRNU9WeVB2ekxrbUJyclFHVG1CeG12eG1BczAKeVlRM1dlUVdBbHdxNHNJMHlraWJ3VzhEK1E0MXhsMm9mNmZhQWRpS0N4MzJJd2lEZytncThpM0plTERmZUd6bApFbU1kS3MxMFV1NGxvV2NJUGQ5RkNOMXVRbEpmK0MxTU5yYjVWazhpYTJhSzRsK2E0YVkwS0NIVHJrSVp0RXJPCjExalZyNTB6SExYTGc1VldGeDhUamE4c3ladllGdlFqd0JnakU3WGM2SmFoczhsUGovaGZMdy90T2Y2MHRYNEQKbmRCaittMUkvSnBPSENEQzkwdENnYWF3cVA1WlFBOVp0L3N4SnUzcGV0UjVZSTYvbzc3NjViVVJGUVNsVGlDcwovSnhpcUVRakpIZU5paStLRzljQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFPZGY2aSs2SUNPYXZ4M0FQc1hvdnVVQXFmRk8KYjhYS0RoK2lESE9xVGRIdlUzbEZxWHFxcWw2QVZrbkp3c1phWDVoSDFJZHpqNlk2QnJQZzI1QmR1dkR5eEMzTApHUDZxNVNjZTk4bHRrRnRFM28wTmZmb2R0bSsvL2dqS2ZnZXE3THBoUi9yQ2xWUTlXc1cxMTFQZHJ3VWU1NG1sCkdhM1I5WXBCcjdoOTh2VHpWYXA5OGtSY21kTGZ3dkF1N21JWVcvN2tPZEo5V01obEJtU3djQ3dOMVR4YzBzQlkKRk5SL1lQZ1JHcDMyQnlJMndZdnZIOGhDbFIvSlVWdGl1NlEvSDlnQWFueDRmSnpmbWt6dnVYMWxENm42SjA2YgpsckQ1amZ4dC9xOGRhUkxGVUNYMElRMjdMS1B0VmdJMzhNMkFUalRZMVpQamdoQUpNeTRDQ2FROGhxWT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  namespace: ZGVmYXVsdA==
  token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNkluWlRUVjlWUVhwUk5XMUliVk5JVXpSUVEyRmFWM0ZPZGtRMExYYzJMVzFoYmpSRmRGTlNXbmM0ZEVVaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWldaaGRXeDBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbVY0WVcxd2JHVXRkRzlyWlc0dFpuQnNhellpTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxjblpwWTJVdFlXTmpiM1Z1ZEM1dVlXMWxJam9pWlhoaGJYQnNaU0lzSW10MVltVnlibVYwWlhNdWFXOHZjMlZ5ZG1salpXRmpZMjkxYm5RdmMyVnlkbWxqWlMxaFkyTnZkVzUwTG5WcFpDSTZJak0wWVRrelpUUXhMVGd6WWpVdE5HTmhZaTFpWVRrMUxUWTROVGxoTjJVMU4yUmhOeUlzSW5OMVlpSTZJbk41YzNSbGJUcHpaWEoyYVdObFlXTmpiM1Z1ZERwa1pXWmhkV3gwT21WNFlXMXdiR1VpZlEuTEJxaTdPMld4OVJRbGZQNUxWelBCX3c2alRTME5yNmJaX0V3MXZiOHhSOExKR0pBa09ScVdMeXNmcDdEa0MzV29BeGtCd01zRjQ2UmJ4c1YtZXVvR1hWQWUzSXMxV1lJa3NzNDc4YnJpaWtPVEVrdWp6bU9EeFFTelpIaVNXQW1BUHgwQkhCODE3VXQ5b2dOWDVJVi1HTWdqaDBYZTJjZGJuVm1DN0xnNTZiUjN0cW9wMWgxZmp5azlZVnNLdmFCV05PelFMVHR4eEoycXhQRTVjNE5reUpDTncxWGdUVnByU3d1bWhGNm5maXVmRFdrUlNWdERyb1dkbmllOXI4aEs5VDFpU2JTTWFSbm5uMVNVN3JLQ2d4bS1odVdxTHFxbnA4RXZiNmxFOTY4U1RwYTAtV2lRXy16TWNuNG1icjVJSjVQcWZyOEwzeUN3cjQ1X0cxZUVB
kind: Secret
metadata:
  name: example-token-fplk6
  namespace: default
  resourceVersion: "6234755"
  selfLink: /api/v1/namespaces/default/secrets/example-token-fplk6
  uid: bde5d411-5e12-4b14-b977-2fad7afa0d23
type: kubernetes.io/service-account-token

secret 对象，被 Kubernetes 自动挂载到了容器的/var/run/secrets/kubernetes.io/serviceaccount 目录下，可以进入到容器中看到挂在的内容：

# kubectl exec -it nginx sh
# cd /var/run/secrets/kubernetes.io/serviceaccount
# ls
ca.crt namespace  token
# cat namespace
default

容器里的应用就会使用ca.crt文件来访问API Server。
2、k8s内置了好多clusterrole资源，cluster role资源代表了被作用者service account拥有的操作集群中资源的权限比如get,list,delete,watch等。我们使用cluster-admin这个clusterrole来给予上面创建的service account资源权限，特别说明cluster-admin这个clusterrole的权限比较大，具有操作集群中任何资源的权限，所以谨慎使用。

kubectl create clusterrolebinding <cluster_role_binding_name> --clusterrole=cluster-admin --serviceaccount=<namespace-name>:<service_account_name>

比如：

kubectl create clusterrolebinding initdb --clusterrole=cluster-admin --serviceaccount=kube-system:initdb

3、上面创建资源已经就绪，接下来就是在pod中使用创建的service account，在模版中指定serviceAccountName字段的值，此处我创建的是helm chart中的一个post-install-hook资源：

apiVersion: batch/v1
kind: Job
metadata:
  name: {{ .Release.Name }}-post-install-job
  annotations:
    "helm.sh/hook": post-install
    "helm.sh/hook-weight": "-5"
    "helm.sh/hook-delete-policy": hook-succeeded
spec:
  template:
    metadata:
      name: {{ .Release.Name }}
      labels:
        release: {{ .Release.Name }}
        chart: {{ .Chart.Name }}
        version: {{ .Chart.Version }}
    spec:
      serviceAccountName: initdb
      restartPolicy: Never
      containers:
      - name: post-install-job
        image: tkestack/kubectl:1.22.7
        command: ["/bin/bash", "/opt/init.sh"]
        volumeMounts:
        - mountPath: "/opt/init.sh"
          name: config-db
          subPath: init.sh
      volumes:
      - name: config-db
        configMap:
          name: config-db