gpt4 book ai didi

kubernetes - Kubernetes 中的服务帐户和上下文有什么区别?

转载 作者:行者123 更新时间:2023-12-04 13:19:00 27 4
gpt4 key购买 nike

两者之间有什么实际区别?我什么时候应该选择一个?

例如,如果我想让我的项目中的开发人员仅查看 pod 的日志。似乎可以通过 RoleBinding 为服务帐户或上下文分配这些权限。

最佳答案

什么是服务帐号?

来自 Docs

User accounts are for humans. Service accounts are for processes, which run in pods.

User accounts are intended to be global...Service accounts are namespaced.



语境
context相关 kubeconfig文件( ~/.kube/config )。如您所知 kubeconfig文件是一个yaml文件,部分 context持有您的 user/tokencluster引用。 context当您有多个集群时非常有用,您可以定义所有 cluster s 和 user s 单 kubeconfig文件,然后您可以借助上下文在它们之间切换(例如: kubectl config --kubeconfig=config-demo use-context dev-frontend )

来自 Docs
apiVersion: v1
clusters:
- cluster:
certificate-authority: fake-ca-file
server: https://1.2.3.4
name: development
- cluster:
insecure-skip-tls-verify: true
server: https://5.6.7.8
name: scratch
contexts:
- context:
cluster: development
namespace: frontend
user: developer
name: dev-frontend
- context:
cluster: development
namespace: storage
user: developer
name: dev-storage
- context:
cluster: scratch
namespace: default
user: experimenter
name: exp-scratch
current-context: ""
kind: Config
preferences: {}
users:
- name: developer
user:
client-certificate: fake-cert-file
client-key: fake-key-file
- name: experimenter
user:
password: some-password
username: exp

您可以在上面,有 3 个上下文,包含 cluster 的引用。和 user .

..if I'd like to give a developer in my project access to just view the logs of a pod. It seems both a service account or a context could be assigned these permissions via a RoleBinding.



没错,您需要创建 service account , Role (或 ClusterRole)、 RoleBinding (或 ClusterRoleBinding)并生成 kubeconfig包含服务帐号 token 的文件并将其提供给您的开发人员。

我有一个 script to generate kubconfig file,采用服务帐户名称参数。随意退房

更新:

如果您想创建 RoleRoleBinding , this might help

关于kubernetes - Kubernetes 中的服务帐户和上下文有什么区别?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/56317780/

27 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com