From 1d6c0e287b43a9dcb616c7b23a29677d1a654e99 Mon Sep 17 00:00:00 2001 From: He Simei Date: Thu, 30 Jul 2015 14:09:15 +0800 Subject: [PATCH] fix service-account related doc --- docs/admin/authorization.md | 12 ++++---- docs/admin/service-accounts-admin.md | 22 +++++++++------ docs/design/secrets.md | 6 ++-- docs/user-guide/service-accounts.md | 42 ++++++++++++++++++++++++++-- 4 files changed, 64 insertions(+), 18 deletions(-) diff --git a/docs/admin/authorization.md b/docs/admin/authorization.md index 6dad2a51a1..01fb71cab4 100644 --- a/docs/admin/authorization.md +++ b/docs/admin/authorization.md @@ -57,10 +57,11 @@ The following implementations are available, and are selected by flag: ### Request Attributes -A request has 4 attributes that can be considered for authorization: +A request has 5 attributes that can be considered for authorization: - user (the user-string which a user was authenticated as). - - whether the request is readonly (GETs are readonly) - - what resource is being accessed + - group (the list of group names the authenticated user is a member of). + - whether the request is readonly (GETs are readonly). + - what resource is being accessed. - applies only to the API endpoints, such as `/api/v1/namespaces/default/pods`. For miscellaneous endpoints, like `/version`, the resource is the empty string. @@ -78,7 +79,8 @@ The file format is [one JSON object per line](http://jsonlines.org/). There sho one map per line. Each line is a "policy object". A policy object is a map with the following properties: - - `user`, type string; the user-string from `--token-auth-file` + - `user`, type string; the user-string from `--token-auth-file`. If you specify `user`, it must match the username of the authenticated user. + - `group`, type string; if you specify `group`, it must match one of the groups of the authenticated user. - `readonly`, type boolean, when true, means that the policy only applies to GET operations. - `resource`, type string; a resource from an URL, such as `pods`. @@ -151,7 +153,7 @@ type Authorizer interface { to determine whether or not to allow each API action. An authorization plugin is a module that implements this interface. -Authorization plugin code goes in `pkg/auth/authorization/$MODULENAME`. +Authorization plugin code goes in `pkg/auth/authorizer/$MODULENAME`. An authorization module can be completely implemented in go, or can call out to a remote authorization service. Authorization modules can implement diff --git a/docs/admin/service-accounts-admin.md b/docs/admin/service-accounts-admin.md index 5dfeda013b..d396e1f2c8 100644 --- a/docs/admin/service-accounts-admin.md +++ b/docs/admin/service-accounts-admin.md @@ -96,14 +96,15 @@ account, and the controller will update it with a generated token: ```json secret.json: { - "kind": "Secret", - "metadata": { - "name": "mysecretname", - "annotations": { - "kubernetes.io/service-account.name": "myserviceaccount" - } - } - "type": "kubernetes.io/service-account-token" + "kind": "Secret", + "apiVersion": "v1", + "metadata": { + "name": "mysecretname", + "annotations": { + "kubernetes.io/service-account.name": "myserviceaccount" + } + }, + "type": "kubernetes.io/service-account-token" } ``` @@ -118,6 +119,11 @@ kubectl describe secret mysecretname kubectl delete secret mysecretname ``` +### Service Account Controller + +Service Account Controller manages ServiceAccount inside namespaces, and ensures +a ServiceAccount named "default" exists in every active namespace. + [![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/service-accounts-admin.md?pixel)]() diff --git a/docs/design/secrets.md b/docs/design/secrets.md index 350d151b14..895d9448c9 100644 --- a/docs/design/secrets.md +++ b/docs/design/secrets.md @@ -321,9 +321,9 @@ type Secret struct { type SecretType string const ( - SecretTypeOpaque SecretType = "Opaque" // Opaque (arbitrary data; default) - SecretTypeKubernetesAuthToken SecretType = "KubernetesAuth" // Kubernetes auth token - SecretTypeDockerRegistryAuth SecretType = "DockerRegistryAuth" // Docker registry auth + SecretTypeOpaque SecretType = "Opaque" // Opaque (arbitrary data; default) + SecretTypeServiceAccountToken SecretType = "kubernetes.io/service-account-token" // Kubernetes auth token + SecretTypeDockercfg SecretType = "kubernetes.io/dockercfg" // Docker registry auth // FUTURE: other type values ) diff --git a/docs/user-guide/service-accounts.md b/docs/user-guide/service-accounts.md index 13da2cd53e..f1d22125e7 100644 --- a/docs/user-guide/service-accounts.md +++ b/docs/user-guide/service-accounts.md @@ -61,7 +61,7 @@ pods/podname -o yaml`), you can see the `spec.serviceAccount` field has been You can access the API using a proxy or with a client library, as described in [Accessing the Cluster](accessing-the-cluster.md#accessing-the-api-from-a-pod). -## Using Multiple Service Accounts +## Using Multiple Service Accounts. Every namespace has a default service account resource called "default". You can list this and any other serviceAccount resources in the namespace with this command: @@ -120,6 +120,45 @@ $ kubectl delete serviceaccount/build-robot ``` +Note that if a pod does not have a `ServiceAccount` set, the `ServiceAccount` will be set to `default`. + +## Manually create a service account API token. + +Suppose we have an existing service account named "build-robot" as mentioned above, and we create +a new secret manually. + +```console +$ cat > /tmp/build-robot-secret.yaml < +Annotations: kubernetes.io/service-account.name=build-robot,kubernetes.io/service-account.uid=870ef2a5-35cf-11e5-8d06-005056b45392 + +Type: kubernetes.io/service-account-token + +Data +==== +ca.crt: 1220 bytes +token: +``` + +> Note that the content of `token` is elided here. ## Adding Secrets to a service account. @@ -128,7 +167,6 @@ TODO: Test and explain how to use additional non-K8s secrets with an existing se TODO explain: - The token goes to: "/var/run/secrets/kubernetes.io/serviceaccount/$WHATFILENAME" - [![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/user-guide/service-accounts.md?pixel)]()