关于ServiceAccount的API Token、ImagePullSecret的实验

手动创建ServiceAccount的API Token

  1. 如下配置创建资源:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

apiVersion: v1
kind: Namespace
metadata:
  name: practice01

---

apiVersion: v1
kind: ServiceAccount
metadata:
  name: practice01
  namespace: practice01

  1. 查看各个资源
1
2
3
4
5
6
7

kubectl get sa -n practice01
kubectl get secrets -n practice01

# 此时只引用了一个Secret
kubectl describe sa -n practice01

  1. 创建一个自定义的ServiceAccount Token
 1
 2
 3
 4
 5
 6
 7
 8
 9
10

apiVersion: v1
kind: Secret
metadata:
  name: practice01-token-customer
  namespace: practice01
  annotations: 
    kubernetes.io/service-account.name: practice01
type: kubernetes.io/service-account-token

  1. 查看各个资源
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

kubectl get sa -n practice01
kubectl get secrets -n practice01

# 此时引用了两个Secret
kubectl describe sa -n practice01
# Name:                default
# Namespace:           practice01
# Labels:              <none>
# Annotations:         <none>
# Image pull secrets:  <none>
# Mountable secrets:   default-token-87gfr
# Tokens:              default-token-87gfr
# Events:              <none>


# Name:                practice01
# Namespace:           practice01
# Labels:              <none>
# Annotations:         <none>
# Image pull secrets:  <none>
# Mountable secrets:   practice01-token-sxkxf
# Tokens:              practice01-token-customer
#                      practice01-token-sxkxf
# Events:              <none>

为ServiceAccount添加ImagePullSecret

  1. 创建一个imagePullSecret
1
2
3
4
5
6
7

kubectl create secret docker-registry practice01-image-pull-secret \
    --docker-server=DOCKER_REGISTRY_SERVER \
    --docker-username=DOCKER_USER \
    --docker-password=DOCKER_PASSWORD \
    --docker-email=DOCKER_EMAIL

我执行了上面的指令后得到如下内容,我比较喜欢使用yaml创建资源,方便笔记,但是该资源好像没有办法使用yaml创建(至少我现在还不了解)。

需要注意的是Secret资源的type字段,这个字段说明了Secret资源的类型,我已经收集两个案例了。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

apiVersion: v1
data:
  .dockerconfigjson: eyJhdXRocyI6eyJET0NLRVJfUkVHSVNUUllfU0VSVkVSIjp7InVzZXJuYW1lIjoiRE9DS0VSX1VTRVIiLCJwYXNzd29yZCI6IkRPQ0tFUl9QQVNTV09SRCIsImVtYWlsIjoiRE9DS0VSX0VNQUlMIiwiYXV0aCI6IlJFOURTMFZTWDFWVFJWSTZSRTlEUzBWU1gxQkJVMU5YVDFKRSJ9fX0=
kind: Secret
metadata:
  creationTimestamp: "2022-01-06T08:28:15Z"
  name: practice01-image-pull-secret
  namespace: nfs
  resourceVersion: "169211"
  uid: ab9eee1e-c5a9-4dd6-9f20-bbe2fde2c184
type: kubernetes.io/dockerconfigjson

参考资料

  1. ServiceAccount