{"id":113,"date":"2024-03-13T23:37:00","date_gmt":"2024-03-13T15:37:00","guid":{"rendered":"https:\/\/www.xueyaa.top\/?p=113"},"modified":"2026-03-10T21:53:36","modified_gmt":"2026-03-10T13:53:36","slug":"clusterrole%e6%8e%88%e6%9d%83%e7%bb%99%e4%b8%80%e4%b8%aaserviceaccount%e7%b1%bb%e5%9e%8b","status":"publish","type":"post","link":"https:\/\/www.xueyaa.top\/?p=113","title":{"rendered":"ClusterRole\u6388\u6743\u7ed9\u4e00\u4e2aServiceAccount\u7c7b\u578b"},"content":{"rendered":"\n
\t1.\u7f16\u5199\u8d44\u6e90\u6e05\u5355 \n[root@master231 rbac]# cat > oldboyedu-sa-rbac.yaml <<EOF\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n  namespace: kube-public\n  name: oldboy\n\n---\n\napiVersion: apps\/v1\nkind: Deployment\nmetadata:\n  name: xiuxian\n  namespace: kube-public\nspec:\n  replicas: 1\n  selector:\n    matchLabels:\n      app: xiuxian\n  template:\n    metadata:\n      labels:\n        app: xiuxian\n    spec:\n      nodeName: worker232\n      serviceAccountName: oldboy\n      containers:\n      - image: harbor250.oldboyedu.com\/oldboyedu-devops\/python:3.9.16-alpine3.16\n        command:\n        - tail\n        - -f\n        - \/etc\/hosts\n        name: apps\n\n---\n\napiVersion: rbac.authorization.k8s.io\/v1\nkind: ClusterRole\nmetadata:\n  name: reader-oldboy\nrules:\n- apiGroups:\n  - \"\"\n  resources:\n  - pods\n  - services\n  verbs:\n  - get\n  - watch\n  - list\n  - delete\n- apiGroups:\n  - apps\n  resources:\n  - deployments\n  verbs:\n  - get\n  - watch\n  - list\n  - delete\n\n---\n\napiVersion: rbac.authorization.k8s.io\/v1\nkind: ClusterRoleBinding\nmetadata:\n  name: reader-oldboy-bind\nroleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: ClusterRole\n  name: reader-oldboy\nsubjects:\n- kind: ServiceAccount\n  name: oldboy\n  namespace: kube-public\nEOF\n  \n\n\t2.\u521b\u5efa\u8d44\u6e90\n[root@master231 rbac]# kubectl apply -f oldboyedu-sa-rbac.yaml \nserviceaccount\/oldboy created\ndeployment.apps\/xiuxian created\nclusterrole.rbac.authorization.k8s.io\/reader-oldboy created\nclusterrolebinding.rbac.authorization.k8s.io\/reader-oldboy-bind created\n[root@master231 rbac]#\n[root@master231 rbac]# kubectl get deploy,sa,po -o wide  -n kube-public \nNAME                      READY   UP-TO-DATE   AVAILABLE   AGE    CONTAINERS   IMAGES                                                                SELECTOR\ndeployment.apps\/xiuxian   1\/1     1            1           111s   apps         harbor250.oldboyedu.com\/oldboyedu-casedemo\/python:3.9.16-alpine3.16   app=xiuxian\n\nNAME                     SECRETS   AGE\nserviceaccount\/default   1         9d\nserviceaccount\/oldboy    1         111s\n\nNAME                           READY   STATUS    RESTARTS   AGE    IP             NODE        NOMINATED NODE   READINESS GATES\npod\/xiuxian-6ffc4f5fd7-m9tf2   1\/1     Running   0          111s   10.100.1.165   worker232   <none>           <none>\n[root@master231 rbac]# \n\n\n\t3.\u5b89\u88c5\u4f9d\u8d56\u5305\n[root@master231 rbac]# kubectl -n kube-public exec -it xiuxian-6ffc4f5fd7-m9tf2 -- sh\n\/ # \n\/ # python -V\nPython 3.9.16\n\/ # \n\/ # pip install kubernetes -i https:\/\/pypi.tuna.tsinghua.edu.cn\/simple\/\n...\nSuccessfully installed cachetools-5.5.2 certifi-2025.1.31 charset-normalizer-3.4.1 durationpy-0.9 google-auth-2.38.0 idna-3.10 kubernetes-32.0.1 oauthlib-3.2.2 pyasn1-0.6.1 pyasn1-modules-0.4.2 python-dateutil-2.9.0.post0 pyyaml-6.0.2 requests-2.32.3 requests-oauthlib-2.0.0 rsa-4.9 six-1.17.0 urllib3-2.4.0 websocket-client-1.8.0\nWARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https:\/\/pip.pypa.io\/warnings\/venv\nWARNING: You are using pip version 22.0.4; however, version 25.0.1 is available.\nYou should consider upgrading via the '\/usr\/local\/bin\/python -m pip install --upgrade pip' command.\n\/ # \n\n\t4.\u7f16\u5199python\u811a\u672c\n\/ # cat > view-k8s-resources.py <<EOF\nfrom kubernetes import client, config\n\nwith open('\/var\/run\/secrets\/kubernetes.io\/serviceaccount\/token') as f:\n     token = f.read()\n\nconfiguration = client.Configuration()\nconfiguration.host = \"https:\/\/10.0.0.231:6443\"  # APISERVER\u5730\u5740\nconfiguration.ssl_ca_cert=\"\/var\/run\/secrets\/kubernetes.io\/serviceaccount\/ca.crt\"  # CA\u8bc1\u4e66 \nconfiguration.verify_ssl = True   # \u542f\u7528\u8bc1\u4e66\u9a8c\u8bc1\nconfiguration.api_key = {\"authorization\": \"Bearer \" + token}  # \u6307\u5b9aToken\u5b57\u7b26\u4e32\nclient.Configuration.set_default(configuration)\napps_api = client.AppsV1Api() \ncore_api = client.CoreV1Api() \ntry:\n  print(\"###### Deployment\u5217\u8868 ######\")\n  #\u5217\u51fadefault\u547d\u540d\u7a7a\u95f4\u6240\u6709deployment\u540d\u79f0\n  for dp in apps_api.list_namespaced_deployment(\"kube-public\").items:\n    print(dp.metadata.name)\nexcept:\n  print(\"\u6ca1\u6709\u6743\u9650\u8bbf\u95eeDeployment\u8d44\u6e90\uff01\")\n\ntry:\n  #\u5217\u51fadefault\u547d\u540d\u7a7a\u95f4\u6240\u6709pod\u540d\u79f0\n  print(\"###### Pod\u5217\u8868 ######\")\n  for po in core_api.list_namespaced_pod(\"kube-public\").items:\n    print(po.metadata.name)\nexcept:\n  print(\"\u6ca1\u6709\u6743\u9650\u8bbf\u95eePod\u8d44\u6e90\uff01\")\nEOF\n\n\t5.\u8fd0\u884cpython\u811a\u672c\n\/ # python3 view-k8s-resources.py \n###### Deployment\u5217\u8868 ######\nxiuxian\n###### Pod\u5217\u8868 ######\noldboyedu-pods-sa\nxiuxian-6ffc4f5fd7-m9tf2\n\/ # \n\n\n\t6.\u66f4\u65b0\u6743\u9650\n[root@master231 auth]# kubectl get clusterrolebinding  reader-oldboy-bind -o wide\nNAME                 ROLE                        AGE   USERS   GROUPS   SERVICEACCOUNTS\nreader-oldboy-bind   ClusterRole\/reader-oldboy   18m                    kube-public\/oldboy\n[root@master231 auth]# \n[root@master231 auth]# kubectl delete clusterrolebinding  reader-oldboy-bind \nclusterrolebinding.rbac.authorization.k8s.io \"reader-oldboy-bind\" deleted\n[root@master231 auth]# \n[root@master231 auth]# kubectl get clusterrolebinding  reader-oldboy-bind -o wide\nError from server (NotFound): clusterrolebindings.rbac.authorization.k8s.io \"reader-oldboy-bind\" not found\n[root@master231 auth]# \n\n\t7.\u518d\u6b21\u6d4b\u8bd5\u9a8c\u8bc1 \n[root@master231 rbac]# kubectl -n kube-public exec -it xiuxian-6ffc4f5fd7-z9p56 -- sh\n\/ # python view-k8s-resources.py \n###### Deployment\u5217\u8868 ######\n\u6ca1\u6709\u6743\u9650\u8bbf\u95eeDeployment\u8d44\u6e90\uff01\n###### Pod\u5217\u8868 ######\n\u6ca1\u6709\u6743\u9650\u8bbf\u95eePod\u8d44\u6e90\uff01\n\/ # <\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":115,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-113","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.xueyaa.top\/index.php?rest_route=\/wp\/v2\/posts\/113","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.xueyaa.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.xueyaa.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.xueyaa.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.xueyaa.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=113"}],"version-history":[{"count":1,"href":"https:\/\/www.xueyaa.top\/index.php?rest_route=\/wp\/v2\/posts\/113\/revisions"}],"predecessor-version":[{"id":116,"href":"https:\/\/www.xueyaa.top\/index.php?rest_route=\/wp\/v2\/posts\/113\/revisions\/116"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.xueyaa.top\/index.php?rest_route=\/wp\/v2\/media\/115"}],"wp:attachment":[{"href":"https:\/\/www.xueyaa.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=113"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.xueyaa.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=113"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.xueyaa.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=113"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}