⇤ ← Revision 1 as of 2021-10-23 08:13:59
789
Comment:
|
← Revision 2 as of 2021-10-23 08:17:35 ⇥
1081
|
Deletions are marked like this. | Additions are marked like this. |
Line 17: | Line 17: |
* Each namespace had it's own default serviceaccount, mounted to each pod automatically. {{{ | * Each namespace had it's own default serviceaccount, very limited, mounted to each pod automatically. {{{ |
Line 23: | Line 23: |
Volumes: | Volumes |
Line 28: | Line 28: |
* the volume mount, will create 3 files, '''ca.crt''', '''namespace''', '''token''' * defaultservice account can be replaced by specifying '''serviceAccountName:''' in pod definition * can disable defaultservice auto mount with '''automountServiceAccountToken: false''' |
k8s/StudyNotes/ServiceAccounts
- used by e.g. Prometheus, Jenkins
create
kubectl create serviceaccount dashboard-sa kubectl get serviceaccount
- Service acount obj, creates tokens in secrets that can be mounted and used by services.
- External - export service account token
- Internal - mount token in pod
Token can be used in curl e.g.
curl https://192.168.56.71:6443/api -insecure --header "Authorization: Bearer eyJ...
Each namespace had it's own default serviceaccount, very limited, mounted to each pod automatically.
$ kubectl describe pod my-k8s-pod ... Mounts: /var/run/secrets/kubernetes.io/serviceaccount from default-token-j4hkv (ro) ... Volumes default-token-j4hkv: SecretName: default-token-j4hkv ...
the volume mount, will create 3 files, ca.crt, namespace, token
defaultservice account can be replaced by specifying serviceAccountName: in pod definition
can disable defaultservice auto mount with automountServiceAccountToken: false