说明

     k8s v1.24.0 更新之后进行创建 ServiceAccount 不会自动生成 Secret 需要对其手动创建.

创建步骤  

   创建SA

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: jtkjdev
  name: gitcicd-role
rules:
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["delete","create","get"]
- apiGroups: [""]
  resources: ["services"]
  resourceNames: ["jtkj-auth-service"]
  verbs: ["delete","create","get"]


apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: jtkjdev
  name: gitcicd-sa

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  namespace: jtkjdev
  name: gitcicd-role-sa-binding
subjects:
- kind: ServiceAccount
  name: gitcicd-sa
  namespace: jtkjdev
roleRef:
  kind: Role
  name: gitcicd-role
  apiGroup: rbac.authorization.k8s.io

创建Secret

apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  namespace: jtkjdev
  name: gitcicd-sa-secret
  annotations:
    kubernetes.io/service-account.name: "gitcicd-sa"

查看信息

[root@master sys]# kubectl describe serviceaccounts gitcicd-sa -n jtkjdev 
Name:                gitcicd-sa
Namespace:           jtkjdev
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   <none>
Tokens:              gitcicd-sa-secret
Events:              <none>
[root@master sys]# 

 kubectl describe  secrets gitcicd-sa-secret -n jtkjdev

这个token是可以在k8s中的dashboard中登录的。

 ****也可以在k8s的dashborad中查看这个token信息，页面上的token信息是经过了base64编码的，解码之后就和这个生成的一样了。