关于automountServiceAccountToken配置的实验

在1.6以上版本中,您可以选择取消为ServiceAccount自动挂载API凭证,只需在ServiceAccount中设置automountServiceAccountToken: false(我已经进行了相关的实验,可以在相关类目下找到)

我设计了如下实验来验证该配置:

  1. 创建相关资源
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

apiVersion: v1
kind: ServiceAccount
metadata:
  name: nfs-client-provisioner
  namespace: nfs

---

apiVersion: v1
kind: ServiceAccount
metadata:
  name: nfs-client-provisioner2
  namespace: nfs
automountServiceAccountToken: false

---

apiVersion: v1
kind: Pod
metadata:
  name: nginx
  namespace: nfs
  labels:
    name: nginx
spec:
  serviceAccount: nfs-client-provisioner
  containers:
  - name: nginx
    image:  nginx:1.7.9
    resources:
      limits:
        memory: "128Mi"
        cpu: "500m"
    ports:
      - containerPort: 80

---

apiVersion: v1
kind: Pod
metadata:
  name: nginx2
  namespace: nfs
  labels:
    name: nginx2
spec:
  serviceAccount: nfs-client-provisioner2
  containers:
  - name: nginx2
    image:  nginx:1.7.9
    resources:
      limits:
        memory: "128Mi"
        cpu: "500m"
    ports:
      - containerPort: 80

实验创建了两个ServiceAccount、两个Pod,两个ServiceAccount一个设置了automountServiceAccountToken为false,两个Pod分别指定了这两个ServiceAccount。

  1. 查看ServiceAccount相关的各个资源,发现ServiceAccount和相关的Secret都正确创建。
1
2
3
4

kubectl get sa -n nfs
kubectl get secrects -n nfs

  1. 查看Pod的yaml格式定义如下:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

# nginx
spec:
  containers:
  - image: nginx:1.7.9
    volumeMounts:
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-jbxhf
      readOnly: true
  volumes:
  - name: kube-api-access-jbxhf
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          expirationSeconds: 3607
          path: token
      - configMap:
          items:
          - key: ca.crt
            path: ca.crt
          name: kube-root-ca.crt
      - downwardAPI:
          items:
          - fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
            path: namespace

# nginx2(nginx2没有任何相关的配置)

结论

automountServiceAccountToken配置影响的是创建Pod时是否自动挂载一个可以访问APIServer的Secret。