1. ServiceAccount
A ServiceAccount (service account) is a resource object in a Kubernetes cluster that is used to provide authentication and authorization for Pods or other resources so that they can interact with the Kubernetes API. ServiceAccount is usually used to authorize Pod to communicate with other resources and services in the cluster, and to access some operations that require permissions.
Problems solved: ServiceAccount solves the following problems:
-
Authentication: A ServiceAccount provides an identity to a Pod, enabling the Pod to interact with the Kubernetes API. The Kubernetes API will make authorization judgments based on the identity of the ServiceAccount.
-
Authority control: Through ServiceAccount, Kubernetes administrators can control the authority of Pods and limit the resources and operations they can access, thereby enhancing the security of the cluster.
-
Authentication and authorization: ServiceAccount enables Pod to authenticate and authorize through its own identity, rather than relying on other identities in the cluster.
ServiceAccount is an important resource in Kubernetes for managing Pod authentication and authorization. It enables Pods to have independent identities in the cluster, thereby achieving more fine-grained permission control and security policies.
2. Resource objects related to ServiceAccount
In Kubernetes, ServiceAccount, Secret, ClusterRole, and RoleBinding are different resource objects, but they have a close relationship and are used together to implement authentication, authorization, and security policies.
-
ServiceAccount (service account): ServiceAccount defines the identity of a Pod or a group of Pods. It provides an identity token used inside the Pod to interact between the Pod and the Kubernetes API. Each namespace has a default ServiceAccount, which can be used to specify which ServiceAccount to use in the Pod
serviceAccountName. -
Secret: Secret is a resource used to store sensitive information, such as passwords, API keys, certificates, etc. A ServiceAccount is usually associated with a Secret, and Kubernetes will automatically create an associated Secret for each ServiceAccount, which contains the ServiceAccount's identity token.
-
ClusterRole (cluster role): ClusterRole defines a set of permissions used to control access to Kubernetes cluster-level resources. It is a permission policy that defines what operations can be performed. ClusterRole can be used by multiple namespaces.
-
RoleBinding (role binding): RoleBinding is used to associate Role (role) or ClusterRole with entities such as users and ServiceAccounts, thereby granting the permissions of roles to these entities. RoleBinding is used for permission control within a single namespace, while ClusterRoleBinding is used for permission control within the entire cluster.
relation:
- A ServiceAccount usually has an associated Secret, which stores identity tokens and other sensitive information related to the ServiceAccount.
- ClusterRole defines a set of permissions, and RoleBinding can grant these permissions to specific ServiceAccounts or users to implement access control to resources.
- In a namespace, Role can define the access rights of a ServiceAccount to resources in the namespace, and RoleBinding associates Role with ServiceAccount.
- ClusterRole and ClusterRoleBinding are used to control resource access at the cluster level, while Role and RoleBinding are used to control resource access within a namespace.
The relationship between ServiceAccount and Secret, ClusterRole, and RoleBinding is close, and together they constitute the authentication, authorization, and security policy system in Kubernetes.
Three, ServiceAccount case
Creating a complete Flink Operator demo involves multiple steps and resource configurations. The following is a basic example for your reference. Note that this is a simplified example and more configuration and tweaking may be required in practice.
1. Create a ServiceAccount and associated Secret
First, create a ServiceAccount and associate it with a Secret containing the information required by the Flink cluster.
# 创建 ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
name: flink-operator-sa
namespace: my-namespace
# 创建包含 Flink 集群信息的 Secret
apiVersion: v1
kind: Secret
metadata:
name: flink-cluster-secret
namespace: my-namespace
type: Opaque
data:
cluster.yaml: <base64-encoded-cluster-config>2. Create ClusterRole and ClusterRoleBinding
Define a ClusterRole to grant permissions required for Flink operations. Then create a ClusterRoleBinding and bind this ClusterRole to the ServiceAccount just created.
# 创建 ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: flink-operator-cluster-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
# 创建 ClusterRoleBinding,将 ClusterRole 绑定到 ServiceAccount
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: flink-operator-cluster-role-binding
subjects:
- kind: ServiceAccount
name: flink-operator-sa
namespace: my-namespace
roleRef:
kind: ClusterRole
name: flink-operator-cluster-role
apiGroup: rbac.authorization.k8s.io3. Create a Flink deployment
Create a Flink deployment using the ServiceAccount and Secret created above.
apiVersion: flink.k8s.io/v1alpha1
kind: FlinkApplication
metadata:
name: my-flink-app
namespace: my-namespace
spec:
image: apache/flink:1.14.0
serviceAccountName: flink-operator-sa
jobManager:
replicas: 1
resources:
requests:
memory: "1Gi"
limits:
memory: "1Gi"
taskManager:
replicas: 2
resources:
requests:
memory: "2Gi"
limits:
memory: "2Gi"
job:
jarFile: "s3://my-bucket/flink-job.jar"In this example, we create a ServiceAccount and an associated Secret, define a ClusterRole and a ClusterRoleBinding, and then use these resources to create a Flink deployment. Note that the actual configuration may need to be adjusted appropriately according to your environment and needs.