-
Notifications
You must be signed in to change notification settings - Fork 551
Evaluate: K8s Service Account
cdxy edited this page Nov 24, 2020
·
1 revision
K8s集群创建的Pod中,容器内部默认携带K8s Service Account的认证凭据(/run/secrets/kubernetes.io/serviceaccount/token
),CDK将利用该凭据尝试认证K8s api-server服务器并访问高权限接口,如果执行成功意味着该账号拥有高权限,您可以直接利用Service Account管理K8s集群。
By default, the containers of K8s Pods will carry a service account token in /run/secrets/kubernetes.io/serviceaccount/token
, CDK will try to authorize K8s api-server with this service account token, and check if high-authority APIs are available. A successful connection means current Pod has a high-authority service account allows you to manipulate K8s cluster resources.
cdk evaluate