Ubuntu で Kubernetes 三昧その６(clusterrole, serviceaccount, Deployment)

Ubuntu で Kubernetes 三昧その５-２(Weave Net CNI)の続きです。

DeploymentのPodをcreateしたいのですが、serviceaccount に、read権限だけをつけておいたもので試してみます。

まずは、このレポジトリをクローンします。

コントロールプレーンです。

$ sudo apt install git
$ git clone https://github.com/AdminTurnedDevOps/kubernetes-examples.git

clusterroleを確認します。
コントロールプレーンです。

@controlplane1:~$ kubectl get clusterrole | awk '{print $1}'
NAME
admin
cluster-admin
edit
kubeadm:get-nodes
system:aggregate-to-admin
system:aggregate-to-edit
system:aggregate-to-view
system:auth-delegator
system:basic-user
system:certificates.k8s.io:certificatesigningrequests:nodeclient
system:certificates.k8s.io:certificatesigningrequests:selfnodeclient
system:certificates.k8s.io:kube-apiserver-client-approver
system:certificates.k8s.io:kube-apiserver-client-kubelet-approver
system:certificates.k8s.io:kubelet-serving-approver
system:certificates.k8s.io:legacy-unknown-approver
system:controller:attachdetach-controller
system:controller:certificate-controller
system:controller:clusterrole-aggregation-controller
system:controller:cronjob-controller
system:controller:daemon-set-controller
system:controller:deployment-controller
system:controller:disruption-controller
system:controller:endpoint-controller
system:controller:endpointslice-controller
system:controller:endpointslicemirroring-controller
system:controller:ephemeral-volume-controller
system:controller:expand-controller
system:controller:generic-garbage-collector
system:controller:horizontal-pod-autoscaler
system:controller:job-controller
system:controller:legacy-service-account-token-cleaner
system:controller:namespace-controller
system:controller:node-controller
system:controller:persistent-volume-binder
system:controller:pod-garbage-collector
system:controller:pv-protection-controller
system:controller:pvc-protection-controller
system:controller:replicaset-controller
system:controller:replication-controller
system:controller:resourcequota-controller
system:controller:root-ca-cert-publisher
system:controller:route-controller
system:controller:selinux-warning-controller
system:controller:service-account-controller
system:controller:service-cidrs-controller
system:controller:service-controller
system:controller:statefulset-controller
system:controller:ttl-after-finished-controller
system:controller:ttl-controller
system:controller:validatingadmissionpolicy-status-controller
system:coredns
system:discovery
system:heapster
system:kube-aggregator
system:kube-controller-manager
system:kube-dns
system:kube-scheduler
system:kubelet-api-admin
system:monitoring
system:node
system:node-bootstrapper
system:node-problem-detector
system:node-proxier
system:persistent-volume-provisioner
system:public-info-viewer
system:service-account-issuer-discovery
system:volume-scheduler
view
weave-net

reader という clusterrole を作成します。

@controlplane1:~/kubernetes-examples/RBAC/ClusterRoles$ kubectl apply -f clusterole.yaml
clusterrole.rbac.authorization.k8s.io/reader created
fujiwara@controlplane1:~/kubernetes-examples/RBAC/ClusterRoles$ kubectl get clusterrole  | awk '{print $1}'
NAME
admin
cluster-admin
edit
kubeadm:get-nodes
reader <<--- 追加された
(...snip...)

yamlファイルのserviceaccountをreaderに変更します。

@controlplane1:~/kubernetes-examples/serviceaccount-specification$ sed -i 's/podcreator/reader/' nginx.yaml

Deploymentを作成します。

@controlplane1:~/kubernetes-examples/serviceaccount-specification$ kubectl apply -f nginx.yaml 
deployment.apps/nginx-deployment created

でも、Deploymentはできていません。これは、readerというserviceaccount が存在しないためです。

@controlplane1:~/kubernetes-examples/serviceaccount-specification$ kubectl get deployments
NAME               READY   UP-TO-DATE   AVAILABLE   AGE
nginx-deployment   0/2     0            0           2m31s

削除します。

@controlplane1:~/kubernetes-examples/serviceaccount-specification$ kubectl delete deploy nginx-deployment
deployment.apps "nginx-deployment" deleted

設定を元に戻します。

@controlplane1:~/kubernetes-examples/serviceaccount-specification$ sed -i 's/reader/podcreator/' nginx.yaml

podcreator というserviceaccountを作成します。

@controlplane1:~/kubernetes-examples/RBAC/ClusterRoles/WriteRole$ source createsa.sh
serviceaccount/podcreator created
NAME         SECRETS   AGE
podcreator   0         0s

clusterrolebinding します。

@controlplane1:~/kubernetes-examples/RBAC/ClusterRoles/WriteRole$ kubectl apply -f rolebinding.yaml 
rolebinding.rbac.authorization.k8s.io/write-pod-default created

もう一度 Deployment を作成します。

@controlplane1:~/kubernetes-examples/serviceaccount-specification$ kubectl apply -f nginx.yaml
deployment.apps/nginx-deployment created

今度はちゃんとできたでしょうか。

controlplane1:~/kubernetes-examples/serviceaccount-specification$ kubectl get deployments
NAME               READY   UP-TO-DATE   AVAILABLE   AGE
nginx-deployment   2/2     2            2           28s

@controlplane1:~/kubernetes-examples/serviceaccount-specification$ kubectl get replicaset
NAME                          DESIRED   CURRENT   READY   AGE
nginx-deployment-5fb8c7d9f9   2         2         2       17s

@controlplane1:~/kubernetes-examples/serviceaccount-specification$ kubectl get pods
NAME                                READY   STATUS    RESTARTS   AGE
nginx-deployment-5fb8c7d9f9-5nqm5   1/1     Running   0          22s
nginx-deployment-5fb8c7d9f9-zt2tp   1/1     Running   0          22s

Ubuntu で Kubernetes 三昧その７(Deamonset)につづく。

参考：