在1.6以上版本中,您可以选择取消为ServiceAccount自动挂载API凭证,只需在ServiceAccount中设置automountServiceAccountToken: false
(我已经进行了相关的实验,可以在相关类目下找到)
我设计了如下实验来验证该配置:
- 创建相关资源
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
|
apiVersion: v1
kind: ServiceAccount
metadata:
name: nfs-client-provisioner
namespace: nfs
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nfs-client-provisioner2
namespace: nfs
automountServiceAccountToken: false
---
apiVersion: v1
kind: Pod
metadata:
name: nginx
namespace: nfs
labels:
name: nginx
spec:
serviceAccount: nfs-client-provisioner
containers:
- name: nginx
image: nginx:1.7.9
resources:
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 80
---
apiVersion: v1
kind: Pod
metadata:
name: nginx2
namespace: nfs
labels:
name: nginx2
spec:
serviceAccount: nfs-client-provisioner2
containers:
- name: nginx2
image: nginx:1.7.9
resources:
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 80
|
实验创建了两个ServiceAccount、两个Pod,两个ServiceAccount一个设置了automountServiceAccountToken为false,两个Pod分别指定了这两个ServiceAccount。
- 查看ServiceAccount相关的各个资源,发现ServiceAccount和相关的Secret都正确创建。
1
2
3
4
|
kubectl get sa -n nfs
kubectl get secrects -n nfs
|
- 查看Pod的yaml格式定义如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
# nginx
spec:
containers:
- image: nginx:1.7.9
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-jbxhf
readOnly: true
volumes:
- name: kube-api-access-jbxhf
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
# nginx2(nginx2没有任何相关的配置)
|
结论
automountServiceAccountToken配置影响的是创建Pod时是否自动挂载一个可以访问APIServer的Secret。