2024年1月21日2024年1月28日

ServiceAccount

admin権限での操作は危険とのことで特定のサービスのみ利用できるkubernetesアカウントを作成する

https://www.digitalocean.com/community/tutorials/how-to-automate-deployments-to-digitalocean-kubernetes-with-circleci

githubにpubilcでレポジトリを作成しました。
https://github.com/a5ro5a/k8s-create-svcaccount

environment

• kubernetes
  • v1.28.2
• namespace
  • doks-wp

アカウントの作成

_PROJECTNAME=doks-wp
cd ~/work/$_PROJECTNAME

cat <<__EOF__>prod/k8s/cicd-service-account.yml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cicd
  namespace: $_PROJECTNAME
__EOF__

token は自動で作成されなくなっているので公式を参考にします。

https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

cat <<__EOF__>prod/k8s/cicd-service-account-token.yml
apiVersion: v1
kind: Secret
metadata:
  name: cicd-secret
  namespace: $_PROJECTNAME
  annotations:
    kubernetes.io/service-account.name: cicd
type: kubernetes.io/service-account-token
__EOF__

kubectl apply -f prod/k8s/cicd-service-account.yml

kubectl get secret -A|grep cicd

doks-wp cicd-secret kubernetes.io/service-account-token 3 10s

kubectl get serviceaccount cicd -n doks-wp

NAME SECRETS AGE
cicd 0 12m

kubectl describe secret/cicd-secret -n doks-wp

Name: cicd-secret
Namespace: doks-wp
Labels:
Annotations: kubernetes.io/service-account.name: cicd
kubernetes.io/service-account.uid: ace91e33-6044-4407-b19b-06abdf127544

Type: kubernetes.io/service-account-token

Data

ca.crt: 1155 bytes
namespace: 7 bytes
token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

token情報の取得

TOKEN=`kubectl get secret/cicd-secret -n $_PROJECTNAME -o jsonpath='{.data.token}' | base64 --decode`

roleの割当

cat <<__EOF__>prod/k8s/cicd-service-account-role.yml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cicd
  namespace: $_PROJECTNAME
rules:
  - apiGroups: ["", "apps", "batch", "extensions"]
    resources: ["deployments", "services", "replicasets", "pods", "jobs", "cronjobs"]
    verbs: ["*"]
__EOF__

kubectl apply -f prod/k8s/cicd-service-account-role.yml

cat <<__EOF__>prod/k8s/cicd-service-account-role-binding.yml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cicd
  namespace: $_PROJECTNAME
subjects:
  - kind: ServiceAccount
    name: cicd
    namespace: $_PROJECTNAME
roleRef:
  kind: Role
  name: cicd
  apiGroup: rbac.authorization.k8s.io
__EOF__

kubectl apply -f prod/k8s/cicd-service-account-role-binding.yml

動作確認

KUBERNETES_SERVER=`grep server\: ~/.kube/config | awk '{print $2}'`

リストOK

kubectl --insecure-skip-tls-verify --kubeconfig="/dev/null" --server=$KUBERNETES_SERVER --token=$TOKEN get pods -n $_PROJECTNAME

NAME READY STATUS RESTARTS AGE
doks-wp-prod-web-848dd47496-5k4mm 1/1 Running 0 2d21h
doks-wp-prod-web-848dd47496-f6ksl 1/1 Running 0 2d21h

execでログインできないことを確認

kubectl --insecure-skip-tls-verify --kubeconfig="/dev/null" --server=$KUBERNETES_SERVER --token=$TOKEN  -n $_PROJECTNAME exec -ti doks-wp-prod-web-848dd47496-5k4mm -- /bin/bash

Error from server (Forbidden): pods "doks-wp-prod-web-848dd47496-5k4mm" is forbidden: User "system:serviceaccount:doks-wp:cicd" cannot create resource "pods/exec" in API group "" in the namespace "doks-wp"

$_PROJECTNAMEのnamespaceのもののみ見れることを確認

kubectl --insecure-skip-tls-verify --kubeconfig="/dev/null" --server=$KUBERNETES_SERVER --token=$TOKEN get nodes

Error from server (Forbidden): nodes is forbidden: User "system:serviceaccount:doks-wp:cicd" cannot list resource "nodes" in API group "" at the cluster scope