0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

Ubuntu で Kubernetes 三昧その6(clusterrole, serviceaccount, Deployment)

Last updated at Posted at 2025-06-23

Ubuntu で Kubernetes 三昧その5-2(Weave Net CNI)の続きです。

DeploymentのPodをcreateしたいのですが、serviceaccount に、read権限だけをつけておいたもので試してみます。

まずは、このレポジトリをクローンします。

コントロールプレーンです。

$ sudo apt install git
$ git clone https://github.com/AdminTurnedDevOps/kubernetes-examples.git

clusterroleを確認します。
コントロールプレーンです。

@controlplane1:~$ kubectl get clusterrole | awk '{print $1}'
NAME
admin
cluster-admin
edit
kubeadm:get-nodes
system:aggregate-to-admin
system:aggregate-to-edit
system:aggregate-to-view
system:auth-delegator
system:basic-user
system:certificates.k8s.io:certificatesigningrequests:nodeclient
system:certificates.k8s.io:certificatesigningrequests:selfnodeclient
system:certificates.k8s.io:kube-apiserver-client-approver
system:certificates.k8s.io:kube-apiserver-client-kubelet-approver
system:certificates.k8s.io:kubelet-serving-approver
system:certificates.k8s.io:legacy-unknown-approver
system:controller:attachdetach-controller
system:controller:certificate-controller
system:controller:clusterrole-aggregation-controller
system:controller:cronjob-controller
system:controller:daemon-set-controller
system:controller:deployment-controller
system:controller:disruption-controller
system:controller:endpoint-controller
system:controller:endpointslice-controller
system:controller:endpointslicemirroring-controller
system:controller:ephemeral-volume-controller
system:controller:expand-controller
system:controller:generic-garbage-collector
system:controller:horizontal-pod-autoscaler
system:controller:job-controller
system:controller:legacy-service-account-token-cleaner
system:controller:namespace-controller
system:controller:node-controller
system:controller:persistent-volume-binder
system:controller:pod-garbage-collector
system:controller:pv-protection-controller
system:controller:pvc-protection-controller
system:controller:replicaset-controller
system:controller:replication-controller
system:controller:resourcequota-controller
system:controller:root-ca-cert-publisher
system:controller:route-controller
system:controller:selinux-warning-controller
system:controller:service-account-controller
system:controller:service-cidrs-controller
system:controller:service-controller
system:controller:statefulset-controller
system:controller:ttl-after-finished-controller
system:controller:ttl-controller
system:controller:validatingadmissionpolicy-status-controller
system:coredns
system:discovery
system:heapster
system:kube-aggregator
system:kube-controller-manager
system:kube-dns
system:kube-scheduler
system:kubelet-api-admin
system:monitoring
system:node
system:node-bootstrapper
system:node-problem-detector
system:node-proxier
system:persistent-volume-provisioner
system:public-info-viewer
system:service-account-issuer-discovery
system:volume-scheduler
view
weave-net

reader という clusterrole を作成します。

@controlplane1:~/kubernetes-examples/RBAC/ClusterRoles$ kubectl apply -f clusterole.yaml
clusterrole.rbac.authorization.k8s.io/reader created
fujiwara@controlplane1:~/kubernetes-examples/RBAC/ClusterRoles$ kubectl get clusterrole  | awk '{print $1}'
NAME
admin
cluster-admin
edit
kubeadm:get-nodes
reader <<--- 追加された
(...snip...)

yamlファイルのserviceaccountをreaderに変更します。

@controlplane1:~/kubernetes-examples/serviceaccount-specification$ sed -i 's/podcreator/reader/' nginx.yaml

Deploymentを作成します。

@controlplane1:~/kubernetes-examples/serviceaccount-specification$ kubectl apply -f nginx.yaml 
deployment.apps/nginx-deployment created

でも、Deploymentはできていません。これは、readerというserviceaccount が存在しないためです。

@controlplane1:~/kubernetes-examples/serviceaccount-specification$ kubectl get deployments
NAME               READY   UP-TO-DATE   AVAILABLE   AGE
nginx-deployment   0/2     0            0           2m31s

削除します。

@controlplane1:~/kubernetes-examples/serviceaccount-specification$ kubectl delete deploy nginx-deployment
deployment.apps "nginx-deployment" deleted

設定を元に戻します。

@controlplane1:~/kubernetes-examples/serviceaccount-specification$ sed -i 's/reader/podcreator/' nginx.yaml

podcreator というserviceaccountを作成します。

@controlplane1:~/kubernetes-examples/RBAC/ClusterRoles/WriteRole$ source createsa.sh
serviceaccount/podcreator created
NAME         SECRETS   AGE
podcreator   0         0s

clusterrolebinding します。

@controlplane1:~/kubernetes-examples/RBAC/ClusterRoles/WriteRole$ kubectl apply -f rolebinding.yaml 
rolebinding.rbac.authorization.k8s.io/write-pod-default created

もう一度 Deployment を作成します。

@controlplane1:~/kubernetes-examples/serviceaccount-specification$ kubectl apply -f nginx.yaml
deployment.apps/nginx-deployment created

今度はちゃんとできたでしょうか。

controlplane1:~/kubernetes-examples/serviceaccount-specification$ kubectl get deployments
NAME               READY   UP-TO-DATE   AVAILABLE   AGE
nginx-deployment   2/2     2            2           28s

@controlplane1:~/kubernetes-examples/serviceaccount-specification$ kubectl get replicaset
NAME                          DESIRED   CURRENT   READY   AGE
nginx-deployment-5fb8c7d9f9   2         2         2       17s

@controlplane1:~/kubernetes-examples/serviceaccount-specification$ kubectl get pods
NAME                                READY   STATUS    RESTARTS   AGE
nginx-deployment-5fb8c7d9f9-5nqm5   1/1     Running   0          22s
nginx-deployment-5fb8c7d9f9-zt2tp   1/1     Running   0          22s

Ubuntu で Kubernetes 三昧その7(Deamonset)につづく。

参考:

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?