Create a new service account with the name pvviewer. Grant this Service account access to list all PersistentVolumes in the cluster by creating an appropriate cluster role called pvviewer-role and ClusterRoleBinding called pvviewer-role-binding.
Next, create a pod called pvviewer with the image: redis and serviceAccount: pvviewer in the default namespace.
- 서비스 계정 생성: k create serviceaccount []
- 클러스터롤 생성 : k create clusterrole --help
controlplane ~ ➜ k create servcie account pvviewer
Error: must specify one of -f and -k
error: unknown command "servcie account pvviewer"
See 'kubectl create -h' for help and examples
controlplane ~ ✖ k create serviceaccount pvviewer
serviceaccount/pvviewer created
controlplane ~ ➜ k get sa
NAME SECRETS AGE
default 0 34m
pvviewer 0 21s
controlplane ~ ➜ k get sviceaccount
error: the server doesn't have a resource type "sviceaccount"
controlplane ~ ✖ k get serviceaccount
NAME SECRETS AGE
default 0 34m
pvviewer 0 41s
controlplane ~ ➜ k get sa
NAME SECRETS AGE
default 0 34m
pvviewer 0 48s
controlplane ~ ➜ k create cluster role --h
error: unknown flag: --h
See 'kubectl create --help' for usage.
controlplane ~ ✖ k create cluster role --help
Create a resource from a file or from stdin.
JSON and YAML formats are accepted.
Examples:
# Create a pod using the data in pod.json
kubectl create -f ./pod.json
# Create a pod based on the JSON passed into stdin
cat pod.json | kubectl create -f -
# 예시
controlplane ~ ➜ kubectl create clusterrole hi-role --verb=list --resource=persistentvolumes
controlplane ~ ➜ k get clusterrole pvviewer-role
NAME CREATED AT
pvviewer-role 2024-08-12T23:36:22Z클러스터 롤 바인딩 생성
controlplane ~ ➜ k create clusterrolebinding --help
Create a cluster role binding for a particular cluster role.
Examples:
# Create a cluster role binding for user1, user2, and group1 using the cluster-admin cluster role
kubectl create clusterrolebinding cluster-admin --clusterrole=cluster-admin --user=user1
--user=user2 --group=group1
controlplane ~ ➜ ubectl create clusterrolebinding cluster-admin --clu^Cerrole=cluster-admin --user=user1
--user=user2 --group=group1
controlplane ~ ✖ ubectl create clusterrolebinding cluster-admin --clusterrole=cluster-admin --user=user1
--user=user2 --group=group1^C
controlplane ~ ✖ kubectl create clusterrolebinding pvviewr-role-binding --clusterrole=pvviewr-role --serviceaccount=pvviewer
error: serviceaccount must be <namespace>:<name>
controlplane ~ ✖ kubectl create clusterrolebinding pvviewr-role-binding --clusterrole=pvviewr-role --serviceaccount=default:pvviewer
clusterrolebinding.rbac.authorization.k8s.io/pvviewr-role-binding created
controlplane ~ ➜ k describe clusterrolebinding pvviewr-role-binding
Name: pvviewr-role-binding
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: pvviewr-role
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount pvviewer default
controlplane ~ ✖ vi pvviewer.yaml
controlplane ~ ➜ cat pvviewer.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: pvviewr
name: pvviewr
spec:
serviceAccountName: pvviewr
containers:
- image: redis
name: pvviewr
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
controlplane ~ ➜ k apply -f pvviewer.yaml
Error from server (Forbidden): error when creating "pvviewer.yaml": pods "pvviewr" is forbidden: error looking up service account default/pvviewr: serviceaccount "pvviewr" not found
controlplane ~ ✖ vi pvviewer.yaml
controlplane ~ ➜ k apply -f pvviewer.yaml
pod/pvviewr created
controlplane ~ ➜ k describe pod pvviewr
Name: pvviewr
Namespace: default
Priority: 0
Service Account: pvviewer
Node: node01/192.0.206.11
Start Time: Tue, 13 Aug 2024 00:00:53 +0000
Labels: run=pvviewr
Annotations: <none>
Status: Running
IP: 10.244.192.1
IPs:
IP: 10.244.192.1
Containers:
pvviewr:
Container ID: containerd://686f3477564181a904f0184ef547de8b8ea0b18e897bfb137f37988f68f941d2
Image: redis
Image ID: docker.io/library/redis@sha256:79676a8f74e4aed85b6d6a2f4e4e3e55d8a229baa7168362e592bbfdc67b0c9b
Port: <none>
Host Port: <none>
State: Running
Started: Tue, 13 Aug 2024 00:00:56 +0000
Ready: True
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-ljrqw (ro)
Conditions:
Type Status
PodReadyToStartContainers True
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
kube-api-access-ljrqw:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 18s default-scheduler Successfully assigned default/pvviewr to node01
Normal Pulling 17s kubelet Pulling image "redis"
Normal Pulled 15s kubelet Successfully pulled image "redis" in 2.511s (2.511s including waiting). Image size: 45907181 bytes.
Normal Created 15s kubelet Created container pvviewr
Normal Started 15s kubelet Started container pvviewr
controlplane ~ ➜ k describe pod pvviewr | gerp -i service
-bash: gerp: command not found
controlplane ~ ✖ k describe pod pvviewr | grep -i service
Service Account: pvviewer
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-ljrqw (ro)
개발기록