据我所知,Kubernetes 中的默认服务帐户不应分配任何权限。但我仍然可以从我的 docker 桌面 k8s 上的 pod 执行以下操作:
APISERVER=https://kubernetes.default.svc
SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
TOKEN=$(cat ${SERVICEACCOUNT}/token)
CACERT=${SERVICEACCOUNT}/ca.crt
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/pods
这怎么可能?
此外,我发现每个 pod 都有不同的 SA 令牌 ( cat /var/run/secrets/kubernetes.io/serviceaccount/token) 值,并且与返回的值不同,kubectl describe secret default-token-cl9ds
难道不应该是一样的吗?
更新:
$ kubectl get rolebindings.rbac.authorization.k8s.io podviewerrolebinding -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"podviewerrolebinding","namespace":"default"},"roleRef":{"apiGroup"
:"rbac.authorization.k8s.io","kind":"Role","name":"podviewerrole"},"subjects":[{"kind":"ServiceAccount","name":"podviewerserviceaccount"}]}
creationTimestamp: "2021-09-07T10:01:51Z"
name: podviewerrolebinding
namespace: default
resourceVersion: "402212"
uid: 2d32f045-b172-4fff-a6b0-1525b0b96e65
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: podviewerrole
subjects:
- kind: ServiceAccount
name: podviewerserviceaccount