Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
329 views
in Technique[技术] by (71.8m points)

k8s servcie account 安全性疑问

有个问题一直没想明白。
service account是用于pod组件想去调用api server而设计的对吧,通过在pod yaml的serviceAccountName填写一个定义好的service account资源名称指定,那么pod就具有此sa对应权限了。

那问题是我知道service account名称就可以让我定义的pod有对应权限了,比如我指定高权限的service account,pod就可以干删除等“坏事”?感觉怪怪的,就类似service account名称变成了保证安全性的东西了,泄漏service account名称就等于账号泄漏了?


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

没明白你的意思,Service Account 不还得有配套的 AccountTokenSecret 才行?你是说俩都泄露了?这就相当于用户名和密码都泄露了啊,当然不就不安全了?


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...