PangYeon`s IT Log

PREV 1 2 3 4 5 6 7 8 ···43 NEXT

k8s ServiceAccount Token Refresh

2024. 12. 17. 22:34

k8s 에서 1.24 이전 버전에는 service account secret token이 자동으로 생성 되었지만,

이후 버전 부터는 직접 생성하고 관리해주어야 한다.

특히 토큰에는 수명주기가 있으며 이를 관리해주어야 한다.

임시 기간 토큰 생성 및 영구 생성, Refresh를 통한 토큰 관리가 있다.

1. 임시 기간 토큰 생성

kubectl create token 명령어를 통해 토큰 생성이 가능하며, --duration 옵션을 통해 시간 지정 가능하다.

duration 옵션이 없을 경우 기본적으로 1시간으로 세팅된다.

또한, 해당 명령어로 토큰을 생성할 경우 생성할 때 조회 가능하고 더 이상 생성한 토큰에 대해 조회가 불가능하다.

# 임시 계정 생성
kubectl create sa temp-sa

# create token 명령어를 통해 임시 생성
kubectl create token temp-sa --duration 30m

# result
eyJhbGciOiJSUzI1NiIsImtpZCI6ImU1Mnp2SFpHYS1RN2dXaElkV0tEZC1nemlxeTFhdWQiGE5ZC1hM2E3LTQ4OGYtOTM3OS1iYzc0MGU1ZjUyMDkifX0sIm5iZiI6MTczNDQzOTY4MCwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6dGVtcC1zYSJ9.Ya83wdlUMifQww_XUmK2rEfxkAMqueDT6QeYiQqwXlWYnUIq4YaCZDbo7XZz8xW3W-_efpx1-7n9dHkUMzk88LvCCS5C0S6J89hGGAI4T_nhyTfIhj4AbC_hhLdZR3b9pSuh7a0xY_CiD
{
    "aud": [
        "https://kubernetes.default.svc.cluster.local"
    ],
    "exp": 1734441480,
    "iat": 1734439680,
    "iss": "https://kubernetes.default.svc.cluster.local",
    "jti": "360425d7-587d-44ca-8633-67e5e07ac9e5",
    "kubernetes.io": {
        "namespace": "default",
        "serviceaccount": {
            "name": "temp-sa",
            "uid": "34bd8a9d-a3a7-488f-9379-bc740e5f5209"
        }
    },
    "nbf": 1734439680,
    "sub": "system:serviceaccount:default:temp-sa"
}

2. 영구 토큰 생성

영구 토큰은 Service Account 생성 후 Secret을 따로 생성해주면 된다.

하지만, 권장하지는 않는다.

# 계정 생성
kubectl create sa permanent-sa

# secret 생성
vi secret.yaml
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: permanent-sa-secret
  annotations:
    kubernetes.io/service-account.name: permanent-sa
    
# 적용
kubectl apply -f secret.yaml
 
# 조회
kubectl get secret
NAME                               TYPE                                  DATA   AGE
permanent-sa-secret                kubernetes.io/service-account-token   3      4s

# 토큰 조회
kubectl describe secret apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: permanent-sa-secret
  annotations:
    kubernetes.io/service-account.name: permanent-apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: permanent-sa-secret
  annotations:
    kubernetes.io/service-account.name: permanent-sa
root@master:~/account# kubectl describe secret permanent-sa
Name:         permanent-sa-secret
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: permanent-sa
              kubernetes.io/service-account.uid: 349d3c79-1180-4cea-9357-5169a7a88d4c

Type:  kubernetes.io/service-account-token

Data
====
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6ImU1Mnp2SFpHYS1RN2dXXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3V
ca.crt:     1107 bytes
namespace:  7 bytes

3. Service Account Mount를 통한 갱신

3.1 기본적인 Mount 를 통한 갱신

기본적으로 pod yaml 설정시 Service Account를 적용하게되면 1시간마다 토큰이 갱신된다.
(확인하려면 1시간 후 pod 에 접속해서 확인 가능, 공식문서에서도 1시간마다 kubelet이 갱신한다고 나와 있음)

# 토큰 생성
kubectl create sa auto-sa

# deploy.yaml 내 serviceAccount 적용
...
spec:
  template:
    spec:
      serviceAccount: auto-sa
      containers:
      ...
...

# 토큰 조회를 위해 pod 접속
kubectl exec -it stdout-node-869cff8b95-cxqf2 -- sh

# 경로
pwd
/var/run/secrets/kubernetes.io/serviceaccount

ls
ca.crt     namespace  token

# 토큰 조회
# 토큰이 변경되는걸 확인하려면 1시간 후에 해당 pod 접속해서 똑같이 확인하면 됨.
cat token
eyJhbGciOiJSUzI1NiIsImtpZCI6ImU1Mnp2SFpHYS1RN2dXaElkV0tEZC1nemlxeTFMclJubTVTaFhoVkZIY2sifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNzY1OTc2NzIxLCJpYXQiOjE3MzQ0NDA3MjEsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwianRpIjoiNjQ3ZDZmYWMtODc

3.2 Volume Project 를 통한 관리

위 방법 말고 Volume Project를 통한 시간 설정 및 갱신이 가능하다.

automountServiceAccountToken 옵션을 false 로 주어야하므로 yaml로 생성
기본적으로 ServiceAccount 생성시 true 로 생성 됨.

해당 예제는 2시간으로 설정

(2시간뒤 자동 갱신됨)

# automountServiceAccountToken 옵션을 false 로 주어야하므로 yaml로 생성
# 기본적으로 ServiceAccount 생성시 true 로 생성 됨.
vi passive-sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: passive-sa
  namespace: default
automountServiceAccountToken: false

# deploy.yaml 내 serviceAccount volume project 적용
...
spec:
  template:
    spec:
      serviceAccount: passive-sa
      volumes:
      - name: project-passive-sa
        projected:
          sources:
          - serviceAccountToken:
              path: passive-account-file
              expirationSeconds: 7200
      containers:
        volumeMounts:
        - mountPath: /tmp/token
          name: project-passive-sa
...

# 토큰 조회를 위해 pod 접속
kubectl exec -it stdout-node-7fcc7ff87-tjfjf -- sh

# 경로
# 위에서 /tmp/token 에 설정했음
pwd
/tmp/token

# 위에서 passive-sa-file 로 설정했음
ls
passive-sa-file

# 토큰 조회
# 토큰이 변경되는걸 확인하려면 2시간으로 설정했으므로 2시간 후에 해당 pod 접속해서 똑같이 확인하면 됨.
cat passive-sa-file 
eyJhbGciOiJSUzI1NiIsImtpZCI6ImU1Mnp2SFpHY

3.3 TokenRequest API 이용

API 호출용, 일반 Service Account 2개를 만들어, 하나는 Token 갱신을 위해 사용하는 방법으로 사용한다.

또는 하나의 계정을 통해 직접 갱신해서 사용한다.

pod 에 접속해서 아래 API를 호출하면된다.

curl -k --header "Authorization: Bearer token" https://kubernetes.default.svc/api/v1/namespaces/default/pods

참고 :

https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/

https://kubernetes.io/docs/concepts/security/service-accounts/

저작자표시 비영리

'Develop > k8s' 카테고리의 다른 글

kubernetes dashboard kong proxy disabled 후 ingress로 접속 (0)	2025.03.11
k8s Audit Policy (k8s 감사 정책) (0)	2024.12.21
인증서 방식 계정 생성 (Certificates and Certificate Signing Requests) (0)	2024.11.29
Containerd x509: certificate signed by unknown authority 설정 (0)	2024.11.19
Container 실행없이 이미지 내부 확인 ctr image mount (0)	2024.11.18

opensearch operator read only mode

2024. 12. 2. 22:58

~~opensearch 무료지만 가이드가 너무하네~~

OpenSearch Dashboard Operator로 설정시 readolny 설정

대충입력하면 배열로 입력하라는데 아래와 같이 입력해야함.

다른 설정도 배열과 같이 입력하라면 아래와 같이 쌍따옴표 및 대괄호해서 입력하면 됨.

~~진짜 가이드 너무할정도로 별로임...~~

apiVersion: opensearch.opster.io/v1
kind: OpenSearchCluster
#...
spec:
  dashboards:
    additionalConfig:
      opensearch_security.readonly_mode.roles: "['readonly']"

저작자표시 비영리

'Develop > OpenSearch ／ FluentBit' 카테고리의 다른 글

OpenSearch Operator Coordinator (0)	2025.02.18
Fluent-Bit Systemd Logging (0)	2025.02.18
OpenSearch Operator Certificate 설정 (0)	2024.11.28
OpenSearch, Dashboard 설치 및 Fluent-Bit OpenSeach 연동 (0)	2024.11.03
k8s fluent-bit install and standard out test (0)	2024.11.01

인증서 방식 계정 생성 (Certificates and Certificate Signing Requests)

2024. 11. 29. 23:40

k8s cluster를 kubernetes admin을 사용하는게 아닌 인증서를 통한 사용자를 생성하여 k8s cluster를 사용하는 방법이다.

1. 개인키 생성

# key 생성
openssl genrsa -out pangyeon.key 2048

# csr 생성
openssl req -new -key pangyeon.key -out pangyeon.csr -subj "/CN=pangyeon"

# csr 값 조회
cat pangyeon.csr | base64 | tr -d "\n"
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1dEQ0NBVUFDQVFBd0V6RVJNQThHQTFVRUF3d0ljR0Z1WjNsbGIyNHdnZ0VpTUEwR0NTcUdTSWIzRFFFQgpBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRGpFa0FaSmhBdElhcTEzSjczREFsa1R4cUExeGdQRWx6dkxXbEVzdzdLCjBRQ29YMGdBR3JFVTlQcDNubWl2U051T0dKd0F4REN3dFQ1TThteDd2a21ZNHRPRC80ZWhVVGhQd3FhOXMwUjMKUUQ5SHlWQ0hqcm1PV1ZDempmNWJ5WkJXc3RZSjZxcGQ2ZUc2NVRlbDF0RmdNRHM4QUdsNmNiazJ4SE1WK2s2dQpNTkVsV3FnRGUwTmt1S3hLWW5OZnY5QWVRanlSek1NUm5Ia1c0cTNucFRqaXhnWTY4eFhzdHpQUlpTZ0YwVU8wCjdUdjlSRE5VdlVKQ3NBdzlrSFlObXdGWkw3SHNtcHdHV3lNdWRCVVVBQ0w3dFUyL0MwZFQ2VkpuSzBmV1VnVlMKNWtRK0NkdW5BdHVDTm8xOTdLS2hQalR5OXE3c1NnajVlcmltNEtGNkdIN2hBZ01CQUFHZ0FEQU5CZ2txaGtpRwo5dzBCQVFzRkFBT0NBUUVBMnJxbHFGTHJjVUhkRU5qclQvVkxOUE5IVEFNMElyTEROVlVsWFRBSDA5S1JQZCsvCkNyUkF3TVEzOXJqRjE5R213Y1czZHNnSkRXR2NacXcxV1JTRlplQy9UaklJZXUzM0EvRm55TC8vYXVUZWg5REEKaEROcURTdnZpNEQzbmwyOTVGNFVMdzJVZG9QbTRyaWxzUHh0eEU3U1dUSFlpYm90QmZnSjJ2NUExb085UU5JeAo4NUE0eHJBVEEvR1EycWZhSlRhZ2pSUGQrNUVHK0tkTm85cnN0Vjl2Y3ZyTkdzS2F0YXpYL2dCTEhoWW9EMzVXCjJ0UFBCSUhmSUU4UUtmakJtZGJKQzlMY2o2UU00V2FDOVJRd293KzFEbTMwZnhmRjWVMVUszckVac3MKU21xVFphZFpWek9XWDdEQnVzM1A5V3lWOExU

2. CertificateSigningRequest 생성

# CertificateSigningReques 생성
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: pangyeon
spec:
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQTUEwR0NTcUdTSWIzUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRGpFa0FaSmhBdElhcTEzSjczREFsa1R4cUExeGdQRWx6dkxXbEVzdzdLCjBRQ29YMGdBR3JFVTlQcDNubWl2U051T0dKd0F4REN3dFQ1TThteDd2a21ZNHRPRC80ZWhVVGhQd3FhOXMwUjMKUUQ5SHlWQ0hqcm1PV1ZDempmNWJ5WkJXc3RZSjZxcGQ2ZUc2NVRlbDF0RmdNRHM4QUdsNmNiazJ4SE1WK2s2dQpNTkVsV3FnRGUwTmt1S3hLWW5OZnY5QWVRanlSek1NUm5Ia1c0cTNucFRqaXhnWTY4eFhzdHpQUlpTZ0YwVU8wCjdUdjlSRE5VdlVKQ3NBdzlrSFlObXdGWkw3SHNtcHdHV3lNdWRCVVVBQ0w3dFUyL0MwZFQ2VkpuSzBmV1VnVlMKNWtRK0NkdW5BdHVDTm8xOTdLS2hQalR5OXE3c1NnajVlcmltNEtGNkdIN2hBZ01CQUFHZ0FEQU5CZ2txaGtpRwo5dzBCQVFzRkFBT0NBUUVBMnJxbHFGTHJjVUhkRU5qclQvVkxOUE5IVEFNMElyTEROVlVsWFRBSDA5S1JQZCsvCkNyUkF3TVEzOXJqRjE5R213Y1czZHNnSkRXR2NacXcxV1JTRlplQy9UaklJZXUzM0EvRm55TC8vYXVUZWg5REEKaEROcURTdnZpNEQzbmwyOTVGNFVMdzJVZG9QbTRyaWxzUHh0eEU3U1dUSFlpYm90QmZnSjJ2NUExb085UU5JeAo4NUE0eHJBVEEvR1EycWZhSlRhZ2pSUGQrNUVHK0tkTm85cnN0Vjl2Y3ZyTkdzS2F0YXpYL2dCTEhoWW9EMzVXCjJ0UFBCSUhmSUU4UUtmakJtZGJKQzlMY2o2UU00V2FDOVJRd293KzFEbTMwZnhmRjdUN05XdWVMVUszckVac3MKU21xVFphZFpWek9XWDdEQnVzM1A5V3lWOExUOFZKVG1H
  signerName: kubernetes.io/kube-apiserver-client
  expirationSeconds: 86400  # one day
  usages:
  - client auth
EOF

# 생성한 CertificateSigningRequest 조회
kubectl get csr
NAME       AGE   SIGNERNAME                            REQUESTOR          REQUESTEDDURATION   CONDITION
pangyeon   48s   kubernetes.io/kube-apiserver-client   kubernetes-admin   24h                 Pending

# 승인 요청
kubectl certificate approve pangyeon

# 승인확인
kubectl get csr
NAME       AGE     SIGNERNAME                            REQUESTOR          REQUESTEDDURATION   CONDITION
pangyeon   5m17s   kubernetes.io/kube-apiserver-client   kubernetes-admin   24h                 Approved,Issued

# 승인한 인증서 추출
kubectl get csr pangyeon -o jsonpath='{.status.certificate}'| base64 -d > pangyeon.crt

3. Cluster Role 생성

해당 예시는 모든 자원에 대해 View 권한 부여

# CluserRole, CluserRolebinding 생성
vi role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: read-only
rules:
- apiGroups: [""]
  resources: ["*"]
  verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: read-only-binding
subjects:
- kind: User
  name: pangyeon
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: read-only
  apiGroup: rbac.authorization.k8s.io
  
# 적용
kubectl apply -f role.yaml

4. Contexts 생성

# Credentials 생성
kubectl config set-credentials pangyeon --client-key=pangyeon.key --client-certificate=pangyeon.crt --embed-certs=true

# Context 추가
kubectl config set-context pangyeon --cluster=kubernetes --user=pangyeon

# 조회
kubectl config get-contexts
CURRENT   NAME                          CLUSTER      AUTHINFO           NAMESPACE
*         kubernetes-admin@kubernetes   kubernetes   kubernetes-admin   
          pangyeon                      kubernetes   pangyeon
          
# 사용
kubectl config use-context pangyeon
Switched to context "pangyeon".

5. 테스트

조회시 인증서로 추가된 부분 확인 및 권한으로 인해 조회만 가능하고 삭제 불가

# 조회시 인증서로 계정 추가된 것 확인
cat ~/.kube/config
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJSFl4OUR6MmlDUHN3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QkpoeWJCdElXSE1KRHY4WUtlQ2o0SEJ3MzlKT0E5MXJwcld0UURlUE4KYzRwWEZVMTQ5L1VZTSs2Q3hLZUtVTXphK0EyQU9vRzFMbUhzbzZYMktEYm5TRFlidFk2dDVLNFBlUmI1NXhMbAplRnZ5eDlzKzgxc0RZZGZVSlFVSlR4TEo1em9VOFlPQldhWjRrdUJObkF1TVJkbE40LzNCNnNwNkUrOXY2TDB2ClVGelpqYmhocFJyZjJ0TmZJV2hiU3Q4am9xcCtWc2hRMDZIN09WUU5nR1BwNGxxZGR5ZGJ4aGhKYWJvbnJMZ2oKTTF0elU0UFVadjFDVjh3dWRHclV4dDIxNkgwSC83SGN5UHRMWnE4MmpWOGl1Zk9FQzV5OFd5VHBBL25mcDJaNAp6RmR2ZjdpdkRaSXFhUjJQSTVScUxxeGNDOEJoQWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJRd0hCQ0NJRHJZQ29OckRIancyNXVVOSs3RTFqQVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQThvZ1lQVjQrZwo5cHEwN0FZUStzbittdmNaVi93ZE9wbml3bkt1NXBBY1plWG1aQU1wOExEaUcwRWJ5RkJFdlNqWTZ6RmxIa2xmCjZNRE1QM1NPVXl0cmZ2Qnd5ZEpVdjNtOXNKOXdpYU1OY0RCekJXdlFNZ0NPQktWWXB2UTZHY05UOGEvdWV5UDYKVC9rQnNyeXhLNDV4OWMvSXRCVHVoOTdzMFgvTkthNHd2eTVJelg0YmZzVkJrVHpQdTVlRVRPZmtoWWY2aUxLNgpBV0ZiQWJWTUN0NWxsWFdxb2VtRm4wRm9ERDROdjV3ejQ0M3FmSTVRTktaQlBMUHZFTXMwMEo2RHNJY1NjOUoxCnpET3hWTVRJUk5ieUpWMk5GV2hYdXlLTUNUS05iUzgraGgvazVTVk41TUc3ZjBSVUdmSm1XV2N2SE0zS3Q5RXIKNitEREJ6aHgyZVppCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    server: https://127.0.0.1:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
- context:
    cluster: kubernetes
    user: pangyeon
  name: pangyeon
current-context: pangyeon
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURLVENDQWhHZ0F3SUJBZ0lJWUxSTnZQOFl4Qnd3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TkRFd016QXhORFF4TWpkYUZ3MHlOVEV3TXpBeE5EUTJNamRhTUR3eApIekFkQmdOVkJBb1RGbXQxWW1WaFpHMDZZMngxYzNSbGNpMWhaRzFwYm5NeEdUQVhCZ05WQkFNVEVHdDFZbVZ5CmJtVjBaWE10WVdSdGFXNHdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDZ2xVWmkKYWFweHBaYWdTT2wvcnpTckkzaWJFbUFpa2cyMVNqUGVMMXQ1U21jeEVINnNjUVZTcjV5REd4WUI1ZElLa0lrNwpSN0oyUGVlQi92RFFmbXdrUEQrUlE2bnFkS1QyM0c3R09QeDJla2pwcnJ2ejd4T0xjNGJDVURPTWVGcXl4TjVqClIrZTVSM2w1S3NQU2NxUUs4cTlDSUNVUXJ2NVplYVV1TW96NnFWQXZ3ZWtwZzNZanM2STlwWjJrWTEwTzRwYVAKZHRJTHcyU1NYSUR6YWNCa2txVy9SM1ZUR3ZNdHlqU1Nwak9YMVBwNkEwbHJOaUl1RzA5cDhOanI2U1VsMlptSwpvWGZweXBRV2p2UUJ4aUVXTVB1M2lqcTY3cmhQUVlhTWFmMzJjWmRhRHpFNHBqaTMxS2habWxUTCtlZS9YanhoClZwcWY2MmZIUFVyb01HMkxBZ01CQUFHalZqQlVNQTRHQTFVZER3RUIvd1FFQXdJRm9EQVRCZ05WSFNVRUREQUsKQmdnckJnRUZCUWNEQWpBTUJnTlZIUk1CQWY4RUFqQUFNQjhHQTFVZEl3UVlNQmFBRkRBY0VJSWdPdGdLZzJzTQplUERibTVUMzdzVFdNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUIrSys4MGVkNWJzNDhNM09acXBtbVdhNmdiCnd5bXl2c3BCZ1JNSGNLQXNMNTNuejNOaytYcDJZRUp1R3h2TDR4RlR0RWUxalhxRzRidkowUWJQcGhtdi9JRkEKWWJHUGNQU3YzMDR2WWhLcnBPMlc3NkE2ZUtFUUFxcS9YVzFaK0VTNEhMTUFYQWtLNzZ0dXNXV3lmY3pxb2NJMwpoYTc2bklBSjA5dkR6VlJQb2VWVGV4TmdWdEYvSFR5b1B1cGFaREhBV1FtOTBPUlduQmM4dHR5Z1pQdU4rVVI0CnFRYTJqRDJySmQ2UXREMUFTT2hkOFNtTHpJTkNBYlVtdXhTZXVZVkNHSy9oUWlWZS9EYVRPL1V4VXRUZStDb1oKYmFNbHBKNk96dVFQZzRZQVBsUXFvYisvSW1hSlVablFPYzdWQWxzN3QwWFEvTDF6Mmpxb0N4OWovcW56Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBb0pWR1ltbX
- name: pangyeon
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMrRENDQWVDZ0F3SUJBZ0lRTno0OVVBM2h5QUlVZFY5NUVDbVdQakFOQmdrcWhraUc5dzBCQVFzRkFEQVYKTVJNd0VRWURWUVFERXdwcmRXSmxjbTVsZEdWek1CNFhEVEkwTVRFeU9URTBNVGN5TWxvWERUSTBNVEV6TURFMApNVGN5TWxvd0V6RVJNQThHQTFVRUF4TUljR0Z1WjNsbGIyNHdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRRGpFa0FaSmhBdElhcTEzSjczREFsa1R4cUExeGdQRWx6dkxXbEVzdzdLMFFDb1gwZ0EKR3JFVTlQcDNubWl2U051T0dKd0F4REN3dFQ1TThteDd2a21ZNHRPRC80ZWhVVGhQd3FhOXMwUjNRRDlIeVZDSApqcm1PV1ZDempmNWJ5WkJXc3RZSjZxcGQ2ZUc2NVRlbDF0RmdNRHM4QUdsNmNiazJ4SE1WK2s2dU1ORWxXcWdECmUwTmt1S3hLWW5OZnY5QWVRanlSek1NUm5Ia1c0cTNucFRqaXhnWTY4eFhzdHpQUlpTZ0YwVU8wN1R2OVJETlUKdlVKQ3NBdzlrSFlObXdGWkw3SHNtcHdHV3lNdWRCVVVBQ0w3dFUyL0MwZFQ2VkpuSzBmV1VnVlM1a1ErQ2R1bgpBdHVDTm8xOTdLS2hQalR5OXE3c1NnajVlcmltNEtGNkdIN2hBZ01CQUFHalJqQkVNQk1HQTFVZEpRUU1NQW9HCkNDc0dBUVVGQndNQ01Bd0dBMVVkRXdFQi93UUNNQUF3SHdZRFZSMGpCQmd3Rm9BVU1Cd1FnaUE2MkFxRGF3eDQKOE51YmxQZnV4Tll3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUZVRXlwNU1HS29YbmUzWjBRSG56N2ZZYVd3OAoyRE14SUdhWGZnSFR5dFlMM01SUGhqYlNXQXl1d0Z5alFSRVhWNTdIMm1iYTY2YjF6eDRvcHhTUFRXRFBValFjCkJ5bkg0b1c4TUs0b1BWSXJzWU9YcUVjVlZqZUhndEcwN1VCb0lTZlhvRnc4dWEwNS9EczJmaVhQbDZXSVpwSTYKTGovY2hhd25rSG8vbnk4QTVaWTRIbVI1UjdXL09uSnlmbW9BN244c3hydzhCN2NURXdpajgxUTBLbWtVT2crNgp2MVdwQlE0MHZMRWZUSnJuczE4TitxOW94Sk5SOGNRY2ZhW
    client-key-data: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRGpFa0FaSmhBdElhcTEKM0o3M0RBbGtUeHFBMXhnUEVsenZMV2xFc3c3SzBRQ29YMGdBR3JFVTlQcDNubWl2U051T0dKd0F4REN3dFQ1TQo4bXg3dmttWTR0T0QvNGVoVVRoUHdxYTlzMFIzUUQ5SHlWQ0hqcm1PV1ZDempmNWJ5WkJXc3RZSjZxcGQ2ZUc2CjVUZWwxdEZnTURzOEFHbDZjYmsyeEhNVitrNnVNTkVsV3FnRGUwTmt1S3hLWW5OZnY5QWVRanlSek1NUm5Ia1cKNHEzbnBUaml4Z1k2OHhYc3R6UFJaU2dGMFVPMDdUdjlSRE5VdlVKQ3NBdzlrSFlObXdGWkw3SHNtcHdHV3lNdQpkQlVVQUNMN3RVMi9DMGRUNlZKbkswZldVZ1ZTNWtRK0NkdW5BdHVDTm8xOTdLS2hQalR5OXE3c1NnajVlcmltCjRLRjZHSDdoQWdNQkFBRUNnZ0VBTzBQYktQVXZTYWc4MXdTREZQVzJTZEQvbU5zSzgzd1dkM0tCeENWNzJlR2MKNjFVYkJMUHl2Z2FHak12eWhMVmVZSUw1ekpWb0krYmFJTmt4Q1VjTURIUS9RbmRpSGUrRjVBTm80NkF6WVhDSwpVNkV1ZklMNjJUVmtnOGl1dDZRdklRSENMWXBxOXVJQlFYZHNBOFBDbC9sZXJIVnJFa00yVlI0Rzc1aUtDcHBECk9hSzB0VWJPWnNkQnlHOWg2eWF0Wk90cVhOMktKSzVJK0J4dVpnVHMxUGhENHNqSnBBRUxhb3M4dHFicG56cDEKNDZYZUtjTlU1Ky9FSHBwaEdTdEExRzdLRDBaSWVHRmZ6SEdFUmk3aXVhZzEvV1hjdk9Cc3I2NXd1U3NyYU1QVApIRTNkcXNoUXdNK1dDYlQ1djBtWFMrRWdOWFN5SXRUQXpydVk4MWMxQlFLQmdRRDZjNlZSV1gyQzBISEpQWHBsCkdiaTJ2cmQwY1NseTY2VEJnc0xkYzdZYWdmQ0VTY3BBQTFuWEQrRWR4V29MS084UGl3S0ZVbUJqZFI4NVk2NXIKakdObGN2NytwRmJSZ3dXZjk5TzZsdjE0Ty80RXdUWkF3ZjRnSHlGKzRodUJScjBJL0loa0cyRmV2WmZ6RWdOWApLSExLRVJwVEJCU0h6SVZ0UEVVUk5YbWxId0tCZ1FEb0dnS1hBVGo2bzlqWWZSODNjQ1l3Njk2cUFzdmpCbTFVCkJDdnQ3ZzRPY00wN3UrWW5hKytuQm5pYUZJY0JZTzd2b3VMUGhrVGlXSlFTREhKcFIxWkNtWGFaMXFaZERjNHIKT283TldFZlFKRXAvOEdFck9nRDJ6YXZSNk9LUGl1dyt6UTE2V1hMamxkQ0lpRVc4UVN5cEM2dW9Oa0tYWUxxRApGWWhkeldWYi93S0JnUURWeGM0dkVLYWIrTldXd3Izcys3WjViWEpqbG8rZGd0dGZQUUNkU3ozOWhEbktnTDE4ClJCL3ovSjdXN1lGbFF5eENaUkhpd0h4N2lDWDlzMExXazc3bmdlOTdaTVNpRWliRDh5SXJHdVFCTTV2UGJTZWsKd0xEcnRBYkFLYmoyY0cyNzlPbHFJU0RNWUNJSm5LOXpQcGcwTjhMelp3RXJKSHdpMEJYWDZZQUtXd0tCZ0g3TApSc0xyZmc4ZVZ5WGRKS0tLZDdLZUNDUGtKekc4bnhrWXRrN2lqM2RBRkQ0ZnBkbS9VMHB4ZEl6bnplRG83VjZvCkl6T3ZiQTRpeWJFYWI1NG54RzNabkRycVVqUGZpTk9BeCtaUjVkbEZHaFhPWWFiVnB4VXN3a0tIOE16dDNhVnAKSzRXOU85QXNWYUZnb0lmNUtzYW1nMzMvTmwyd0QvUHdYWEN3OWtCTkFvR0JBSldScDk0OW1CcU1za2lwTzNhWAp5NnNuYlJ2Y3JhdmJFTUx2UHdISmRJdVg2Kzg0WGdUcHRwREJVZWpyRkhZM1FmVXA2VytnSngzaHFnOTQwV2I1CnhEM2lNblVzamhoZW4vSmtwN3Fma25SWmVGRUdTVVZ
    
# 조회
kubectl get pods
NAME                           READY   STATUS 
stdout-node-6f945d7989-6xjp2   1/1     Running 

# Read권한만 있어 삭제 불가
kubectl delete pods stdout-node-6f945d7989-6xjp2 
Error from server (Forbidden): pods "stdout-node-6f945d7989-6xjp2" is forbidden: User "pangyeon" cannot delete resource "pods" in API group "" in the namespace "default

참고 : https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#normal-user

저작자표시 비영리

'Develop > k8s' 카테고리의 다른 글

k8s Audit Policy (k8s 감사 정책) (0)	2024.12.21
k8s ServiceAccount Token Refresh (0)	2024.12.17
Containerd x509: certificate signed by unknown authority 설정 (0)	2024.11.19
Container 실행없이 이미지 내부 확인 ctr image mount (0)	2024.11.18
k8s Docker Private Registry 설치 및 Registry UI 설치 (0)	2024.11.05

PREV 1 2 3 4 5 6 7 8 ···43 NEXT

PangYeon`s IT Log

k8s ServiceAccount Token Refresh

'Develop > k8s' 카테고리의 다른 글

opensearch operator read only mode

'Develop > OpenSearch ／ FluentBit' 카테고리의 다른 글

인증서 방식 계정 생성 (Certificates and Certificate Signing Requests)

'Develop > k8s' 카테고리의 다른 글

+ Recent posts

티스토리툴바