github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-13 21:25:09 +00:00
Code Issues Projects Releases Wiki Activity

fix service-account related doc

Browse Source
This commit is contained in:
He Simei
2015-07-30 14:09:15 +08:00
parent ea59172874
commit 1d6c0e287b
4 changed files with 64 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
docs/user-guide/service-accounts.md
View File

@@ -61,7 +61,7 @@ pods/podname -o yaml`), you can see the `spec.serviceAccount` field has been
You can access the API using a proxy or with a client library, as described in
[Accessing the Cluster](accessing-the-cluster.md#accessing-the-api-from-a-pod).
## Using Multiple Service Accounts
## Using Multiple Service Accounts.
Every namespace has a default service account resource called "default".
You can list this and any other serviceAccount resources in the namespace with this command:
@@ -120,6 +120,45 @@ $ kubectl delete serviceaccount/build-robot
```
<!-- TODO: describe how to create a pod with no Service Account. -->
Note that if a pod does not have a `ServiceAccount` set, the `ServiceAccount` will be set to `default`.
## Manually create a service account API token.
Suppose we have an existing service account named "build-robot" as mentioned above, and we create
a new secret manually.
```console
$ cat > /tmp/build-robot-secret.yaml <<EOF
apiVersion: v1
kind: Secret
metadata:
name: build-robot-secret
annotations:
kubernetes.io/service-account.name: build-robot
type: kubernetes.io/service-account-token
EOF
$ kubectl create -f /tmp/build-robot-secret.yaml
secrets/build-robot-secret
```
Now you can confirm that the newly built secret is populated with an API token for the "build-robot" service account.
```console
kubectl describe secrets/build-robot-secret
Name: build-robot-secret
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name=build-robot,kubernetes.io/service-account.uid=870ef2a5-35cf-11e5-8d06-005056b45392
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1220 bytes
token:
```
> Note that the content of `token` is elided here.
## Adding Secrets to a service account.
@@ -128,7 +167,6 @@ TODO: Test and explain how to use additional non-K8s secrets with an existing se
TODO explain:
- The token goes to: "/var/run/secrets/kubernetes.io/serviceaccount/$WHATFILENAME"
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/user-guide/service-accounts.md?pixel)]()
<!-- END MUNGE: GENERATED_ANALYTICS -->