Ubuntu で Kubernetes 三昧その5-2(Weave Net CNI)の続きです。
DeploymentのPodをcreateしたいのですが、serviceaccount に、read権限だけをつけておいたもので試してみます。
まずは、このレポジトリをクローンします。
コントロールプレーンです。
$ sudo apt install git
$ git clone https://github.com/AdminTurnedDevOps/kubernetes-examples.git
clusterroleを確認します。
コントロールプレーンです。
@controlplane1:~$ kubectl get clusterrole | awk '{print $1}'
NAME
admin
cluster-admin
edit
kubeadm:get-nodes
system:aggregate-to-admin
system:aggregate-to-edit
system:aggregate-to-view
system:auth-delegator
system:basic-user
system:certificates.k8s.io:certificatesigningrequests:nodeclient
system:certificates.k8s.io:certificatesigningrequests:selfnodeclient
system:certificates.k8s.io:kube-apiserver-client-approver
system:certificates.k8s.io:kube-apiserver-client-kubelet-approver
system:certificates.k8s.io:kubelet-serving-approver
system:certificates.k8s.io:legacy-unknown-approver
system:controller:attachdetach-controller
system:controller:certificate-controller
system:controller:clusterrole-aggregation-controller
system:controller:cronjob-controller
system:controller:daemon-set-controller
system:controller:deployment-controller
system:controller:disruption-controller
system:controller:endpoint-controller
system:controller:endpointslice-controller
system:controller:endpointslicemirroring-controller
system:controller:ephemeral-volume-controller
system:controller:expand-controller
system:controller:generic-garbage-collector
system:controller:horizontal-pod-autoscaler
system:controller:job-controller
system:controller:legacy-service-account-token-cleaner
system:controller:namespace-controller
system:controller:node-controller
system:controller:persistent-volume-binder
system:controller:pod-garbage-collector
system:controller:pv-protection-controller
system:controller:pvc-protection-controller
system:controller:replicaset-controller
system:controller:replication-controller
system:controller:resourcequota-controller
system:controller:root-ca-cert-publisher
system:controller:route-controller
system:controller:selinux-warning-controller
system:controller:service-account-controller
system:controller:service-cidrs-controller
system:controller:service-controller
system:controller:statefulset-controller
system:controller:ttl-after-finished-controller
system:controller:ttl-controller
system:controller:validatingadmissionpolicy-status-controller
system:coredns
system:discovery
system:heapster
system:kube-aggregator
system:kube-controller-manager
system:kube-dns
system:kube-scheduler
system:kubelet-api-admin
system:monitoring
system:node
system:node-bootstrapper
system:node-problem-detector
system:node-proxier
system:persistent-volume-provisioner
system:public-info-viewer
system:service-account-issuer-discovery
system:volume-scheduler
view
weave-net
reader という clusterrole を作成します。
@controlplane1:~/kubernetes-examples/RBAC/ClusterRoles$ kubectl apply -f clusterole.yaml
clusterrole.rbac.authorization.k8s.io/reader created
fujiwara@controlplane1:~/kubernetes-examples/RBAC/ClusterRoles$ kubectl get clusterrole | awk '{print $1}'
NAME
admin
cluster-admin
edit
kubeadm:get-nodes
reader <<--- 追加された
(...snip...)
yamlファイルのserviceaccountをreaderに変更します。
@controlplane1:~/kubernetes-examples/serviceaccount-specification$ sed -i 's/podcreator/reader/' nginx.yaml
Deploymentを作成します。
@controlplane1:~/kubernetes-examples/serviceaccount-specification$ kubectl apply -f nginx.yaml
deployment.apps/nginx-deployment created
でも、Deploymentはできていません。これは、readerというserviceaccount が存在しないためです。
@controlplane1:~/kubernetes-examples/serviceaccount-specification$ kubectl get deployments
NAME READY UP-TO-DATE AVAILABLE AGE
nginx-deployment 0/2 0 0 2m31s
削除します。
@controlplane1:~/kubernetes-examples/serviceaccount-specification$ kubectl delete deploy nginx-deployment
deployment.apps "nginx-deployment" deleted
設定を元に戻します。
@controlplane1:~/kubernetes-examples/serviceaccount-specification$ sed -i 's/reader/podcreator/' nginx.yaml
podcreator というserviceaccountを作成します。
@controlplane1:~/kubernetes-examples/RBAC/ClusterRoles/WriteRole$ source createsa.sh
serviceaccount/podcreator created
NAME SECRETS AGE
podcreator 0 0s
clusterrolebinding します。
@controlplane1:~/kubernetes-examples/RBAC/ClusterRoles/WriteRole$ kubectl apply -f rolebinding.yaml
rolebinding.rbac.authorization.k8s.io/write-pod-default created
もう一度 Deployment を作成します。
@controlplane1:~/kubernetes-examples/serviceaccount-specification$ kubectl apply -f nginx.yaml
deployment.apps/nginx-deployment created
今度はちゃんとできたでしょうか。
controlplane1:~/kubernetes-examples/serviceaccount-specification$ kubectl get deployments
NAME READY UP-TO-DATE AVAILABLE AGE
nginx-deployment 2/2 2 2 28s
@controlplane1:~/kubernetes-examples/serviceaccount-specification$ kubectl get replicaset
NAME DESIRED CURRENT READY AGE
nginx-deployment-5fb8c7d9f9 2 2 2 17s
@controlplane1:~/kubernetes-examples/serviceaccount-specification$ kubectl get pods
NAME READY STATUS RESTARTS AGE
nginx-deployment-5fb8c7d9f9-5nqm5 1/1 Running 0 22s
nginx-deployment-5fb8c7d9f9-zt2tp 1/1 Running 0 22s
Ubuntu で Kubernetes 三昧その7(Deamonset)につづく。
参考: