Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
8dcbebae
Commit
8dcbebae
authored
Aug 14, 2015
by
Jerzy Szczepkowski
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #12011 from ZJU-SEL/fix-serviceaccount-doc
fix service-account related doc
parents
55b7500b
1d6c0e28
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
64 additions
and
18 deletions
+64
-18
authorization.md
docs/admin/authorization.md
+7
-5
service-accounts-admin.md
docs/admin/service-accounts-admin.md
+14
-8
secrets.md
docs/design/secrets.md
+3
-3
service-accounts.md
docs/user-guide/service-accounts.md
+40
-2
No files found.
docs/admin/authorization.md
View file @
8dcbebae
...
@@ -57,10 +57,11 @@ The following implementations are available, and are selected by flag:
...
@@ -57,10 +57,11 @@ The following implementations are available, and are selected by flag:
### Request Attributes
### Request Attributes
A request has
4
attributes that can be considered for authorization:
A request has
5
attributes that can be considered for authorization:
-
user (the user-string which a user was authenticated as).
-
user (the user-string which a user was authenticated as).
-
whether the request is readonly (GETs are readonly)
-
group (the list of group names the authenticated user is a member of).
-
what resource is being accessed
-
whether the request is readonly (GETs are readonly).
-
what resource is being accessed.
-
applies only to the API endpoints, such as
-
applies only to the API endpoints, such as
`/api/v1/namespaces/default/pods`
. For miscellaneous endpoints, like
`/version`
, the
`/api/v1/namespaces/default/pods`
. For miscellaneous endpoints, like
`/version`
, the
resource is the empty string.
resource is the empty string.
...
@@ -78,7 +79,8 @@ The file format is [one JSON object per line](http://jsonlines.org/). There sho
...
@@ -78,7 +79,8 @@ The file format is [one JSON object per line](http://jsonlines.org/). There sho
one map per line.
one map per line.
Each line is a "policy object". A policy object is a map with the following properties:
Each line is a "policy object". A policy object is a map with the following properties:
-
`user`
, type string; the user-string from
`--token-auth-file`
-
`user`
, type string; the user-string from
`--token-auth-file`
. If you specify
`user`
, it must match the username of the authenticated user.
-
`group`
, type string; if you specify
`group`
, it must match one of the groups of the authenticated user.
-
`readonly`
, type boolean, when true, means that the policy only applies to GET
-
`readonly`
, type boolean, when true, means that the policy only applies to GET
operations.
operations.
-
`resource`
, type string; a resource from an URL, such as
`pods`
.
-
`resource`
, type string; a resource from an URL, such as
`pods`
.
...
@@ -151,7 +153,7 @@ type Authorizer interface {
...
@@ -151,7 +153,7 @@ type Authorizer interface {
to determine whether or not to allow each API action.
to determine whether or not to allow each API action.
An authorization plugin is a module that implements this interface.
An authorization plugin is a module that implements this interface.
Authorization plugin code goes in
`pkg/auth/authoriz
ation
/$MODULENAME`
.
Authorization plugin code goes in
`pkg/auth/authoriz
er
/$MODULENAME`
.
An authorization module can be completely implemented in go, or can call out
An authorization module can be completely implemented in go, or can call out
to a remote authorization service. Authorization modules can implement
to a remote authorization service. Authorization modules can implement
...
...
docs/admin/service-accounts-admin.md
View file @
8dcbebae
...
@@ -96,14 +96,15 @@ account, and the controller will update it with a generated token:
...
@@ -96,14 +96,15 @@ account, and the controller will update it with a generated token:
```
json
```
json
secret.json
:
secret.json
:
{
{
"kind"
:
"Secret"
,
"kind"
:
"Secret"
,
"metadata"
:
{
"apiVersion"
:
"v1"
,
"name"
:
"mysecretname"
,
"metadata"
:
{
"annotations"
:
{
"name"
:
"mysecretname"
,
"kubernetes.io/service-account.name"
:
"myserviceaccount"
"annotations"
:
{
}
"kubernetes.io/service-account.name"
:
"myserviceaccount"
}
}
"type"
:
"kubernetes.io/service-account-token"
},
"type"
:
"kubernetes.io/service-account-token"
}
}
```
```
...
@@ -118,6 +119,11 @@ kubectl describe secret mysecretname
...
@@ -118,6 +119,11 @@ kubectl describe secret mysecretname
kubectl delete secret mysecretname
kubectl delete secret mysecretname
```
```
### Service Account Controller
Service Account Controller manages ServiceAccount inside namespaces, and ensures
a ServiceAccount named "default" exists in every active namespace.
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
[

]()
[

]()
...
...
docs/design/secrets.md
View file @
8dcbebae
...
@@ -321,9 +321,9 @@ type Secret struct {
...
@@ -321,9 +321,9 @@ type Secret struct {
type
SecretType
string
type
SecretType
string
const
(
const
(
SecretTypeOpaque
SecretType
=
"Opaque"
// Opaque (arbitrary data; default)
SecretTypeOpaque
SecretType
=
"Opaque"
// Opaque (arbitrary data; default)
SecretType
KubernetesAuthToken
SecretType
=
"KubernetesAuth"
// Kubernetes auth token
SecretType
ServiceAccountToken
SecretType
=
"kubernetes.io/service-account-token"
// Kubernetes auth token
SecretTypeDocker
RegistryAuth
SecretType
=
"DockerRegistryAuth"
// Docker registry auth
SecretTypeDocker
cfg
SecretType
=
"kubernetes.io/dockercfg"
// Docker registry auth
// FUTURE: other type values
// FUTURE: other type values
)
)
...
...
docs/user-guide/service-accounts.md
View file @
8dcbebae
...
@@ -61,7 +61,7 @@ pods/podname -o yaml`), you can see the `spec.serviceAccount` field has been
...
@@ -61,7 +61,7 @@ pods/podname -o yaml`), you can see the `spec.serviceAccount` field has been
You can access the API using a proxy or with a client library, as described in
You can access the API using a proxy or with a client library, as described in
[
Accessing the Cluster
](
accessing-the-cluster.md#accessing-the-api-from-a-pod
)
.
[
Accessing the Cluster
](
accessing-the-cluster.md#accessing-the-api-from-a-pod
)
.
## Using Multiple Service Accounts
## Using Multiple Service Accounts
.
Every namespace has a default service account resource called "default".
Every namespace has a default service account resource called "default".
You can list this and any other serviceAccount resources in the namespace with this command:
You can list this and any other serviceAccount resources in the namespace with this command:
...
@@ -120,6 +120,45 @@ $ kubectl delete serviceaccount/build-robot
...
@@ -120,6 +120,45 @@ $ kubectl delete serviceaccount/build-robot
```
```
<!-- TODO: describe how to create a pod with no Service Account. -->
<!-- TODO: describe how to create a pod with no Service Account. -->
Note that if a pod does not have a
`ServiceAccount`
set, the
`ServiceAccount`
will be set to
`default`
.
## Manually create a service account API token.
Suppose we have an existing service account named "build-robot" as mentioned above, and we create
a new secret manually.
```
console
$
cat
>
/tmp/build-robot-secret.yaml
<<
EOF
apiVersion: v1
kind: Secret
metadata:
name: build-robot-secret
annotations:
kubernetes.io/service-account.name: build-robot
type: kubernetes.io/service-account-token
EOF
$
kubectl create
-f
/tmp/build-robot-secret.yaml
secrets/build-robot-secret
```
Now you can confirm that the newly built secret is populated with an API token for the "build-robot" service account.
```
console
kubectl describe secrets/build-robot-secret
Name: build-robot-secret
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name=build-robot,kubernetes.io/service-account.uid=870ef2a5-35cf-11e5-8d06-005056b45392
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1220 bytes
token:
```
> Note that the content of `token` is elided here.
## Adding Secrets to a service account.
## Adding Secrets to a service account.
...
@@ -128,7 +167,6 @@ TODO: Test and explain how to use additional non-K8s secrets with an existing se
...
@@ -128,7 +167,6 @@ TODO: Test and explain how to use additional non-K8s secrets with an existing se
TODO explain:
TODO explain:
-
The token goes to: "/var/run/secrets/kubernetes.io/serviceaccount/$WHATFILENAME"
-
The token goes to: "/var/run/secrets/kubernetes.io/serviceaccount/$WHATFILENAME"
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
[

]()
[

]()
<!-- END MUNGE: GENERATED_ANALYTICS -->
<!-- END MUNGE: GENERATED_ANALYTICS -->
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment