Kubectlの基本②
①ServiceAccountを作成
・以下の内容のsample-serviceaccount.yamlファイルを作成する
apiVersion: v1
kind: ServiceAccount
metadata:
name: sample-serviceaccount
namespace: default
・ServiceAccount が作成される
以下のコマンドを実行する
$ kubectl apply -f sample-serviceaccount.yaml
serviceaccount/sample-serviceaccount created
・最初から存在する default 以外に作成した serviceaccount が存在する
以下のコマンドを実行する
$ kubectl get serviceaccount
NAME SECRETS AGE
default 1 9m31s
sample-serviceaccount 1 18s
②Podの情報を取得
● serviceaccount 名を使って secret が追加されている
$ kubectl get secret
NAME TYPE DATA AGE
default-token-sxcgt kubernetes.io/service-account-token 3 3m5s
sample-serviceaccount-token-4qnz7 kubernetes.io/service-account-token 3 54s
●sample-serviceaccount-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: sample-kubectl
spec:
serviceAccountName: sample-serviceaccount
containers:
- name: kubectl-container
image: lachlanevenson/k8s-kubectl:v1.10.4
command: ["sleep", "86400"]
●作成した ServiceAccount を指定して起動してみる。
$ kubectl apply -f sample-serviceaccount-pod.yaml
pod/sample-kubectl created
●secret の情報が配置されている
$ kubectl exec -it sample-kubectl -- ls /var/run/secrets/kubernetes.io/serviceaccount
ca.crt namespace token
●この状態で kubectl get pods を実行してPod 情報を取得できるかやってみる。
→結果NG
$ kubectl exec -it sample-kubectl -- kubectl get pods
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:default:sample-serviceaccount" cannot list resource "pods" in API group "" in thenamespace "default"
command terminated with exit code 1
●clusterrole 一覧を確認.多くの情報が表示される.system と表示されているのが system で使っているもの
$ kubectl get clusterrole
NAME AGE
admin 15m
cluster-admin 15m
edit 15m
system:aggregate-to-admin 15m
system:aggregate-to-edit 15m
system:aggregate-to-view 15m
system:auth-delegator 15m
system:basic-user 15m
system:certificates.k8s.io:certificatesigningrequests:nodeclient 15m
system:certificates.k8s.io:certificatesigningrequests:selfnodeclient 15m
system:controller:attachdetach-controller 15m
system:controller:certificate-controller 15m
system:controller:clusterrole-aggregation-controller 15m
system:controller:cronjob-controller 15m
system:controller:daemon-set-controller 15m
system:controller:deployment-controller 15m
system:controller:disruption-controller 15m
system:controller:endpoint-controller 15m
system:controller:expand-controller 15m
system:controller:generic-garbage-collector 15m
system:controller:horizontal-pod-autoscaler 15m
system:controller:job-controller 15m
system:controller:namespace-controller 15m
system:controller:node-controller 15m
system:controller:persistent-volume-binder 15m
system:controller:pod-garbage-collector 15m
system:controller:pv-protection-controller 15m
system:controller:pvc-protection-controller 15m
system:controller:replicaset-controller 15m
system:controller:replication-controller 15m
system:controller:resourcequota-controller 15m
system:controller:route-controller 15m
system:controller:service-account-controller 15m
system:controller:service-controller 15m
system:controller:statefulset-controller 15m
system:controller:ttl-controller 15m
system:coredns 15m
system:csi-external-attacher 15m
system:csi-external-provisioner 15m
system:discovery 15m
system:heapster 15m
system:kube-aggregator 15m
system:kube-controller-manager 15m
system:kube-dns 15m
system:kube-scheduler 15m
system:kubelet-api-admin 15m
system:node 15m
system:node-bootstrapper 15m
system:node-problem-detector 15m
system:node-proxier 15m
system:persistent-volume-provisioner 15m
system:public-info-viewer 15m
system:volume-scheduler 15m
view 15m
●view という clustrrole の詳細を確認。pod については get/list/watch が可能
$ kubectl describe clusterrole view
Name: view
Labels: kubernetes.io/bootstrapping=rbac-defaults
rbac.authorization.k8s.io/aggregate-to-edit=true
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
bindings [get list watch]
configmaps [get list watch]
endpoints [get list watch]
events [get list watch]
limitranges [get list watch]
namespaces/status [get list watch]
namespaces [get list watch]
persistentvolumeclaims [get list watch]
pods/log [get list watch]
pods/status [get list watch]
pods [get list watch]
replicationcontrollers/scale [get list watch]
replicationcontrollers/status [get list watch]
replicationcontrollers [get list watch]
resourcequotas/status [get list watch]
resourcequotas [get list watch]
serviceaccounts [get list watch]
services [get list watch]
controllerrevisions.apps [get list watch]
daemonsets.apps [get list watch]
deployments.apps/scale [get list watch]
deployments.apps [get list watch]
replicasets.apps/scale [get list watch]
replicasets.apps [get list watch]
statefulsets.apps/scale [get list watch]
statefulsets.apps [get list watch]
horizontalpodautoscalers.autoscaling [get list watch]
cronjobs.batch [get list watch]
jobs.batch [get list watch]
daemonsets.extensions [get list watch]
deployments.extensions/scale [get list watch]
deployments.extensions [get list watch]
ingresses.extensions [get list watch]
networkpolicies.extensions [get list watch]
replicasets.extensions/scale [get list watch]
replicasets.extensions [get list watch]
replicationcontrollers.extensions/scale [get list watch]
ingresses.networking.k8s.io [get list watch]
networkpolicies.networking.k8s.io [get list watch]
poddisruptionbudgets.policy [get list watch]
●ClusterRoleBinding を作成
$ kubectl apply -f sample-clusterrolebinding.yaml
clusterrolebinding.rbac.authorization.k8s.io/sample-clusterrolebinding created
●ServiceAccont の sample-serviceaccount と紐付いている
$ kubectl describe clusterrolebinding sample-clusterrolebinding
Name: sample-clusterrolebinding
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"sample-clusterrolebinding"},...
Role:
Kind: ClusterRole
Name: view
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount sample-serviceaccount default
●権限を付与したので先程の Pod から kubectl get podsを実行する。
$ kubectl exec -it sample-kubectl -- kubectl get pods
NAME READY STATUS RESTARTS AGE
sample-kubectl 1/1 Running 0 9m
