{"id":1476,"date":"2024-12-07T07:55:34","date_gmt":"2024-12-07T07:55:34","guid":{"rendered":"https:\/\/kb.lagonet.vn\/?p=1476"},"modified":"2024-12-07T07:55:34","modified_gmt":"2024-12-07T07:55:34","slug":"k8s-service-account","status":"publish","type":"post","link":"https:\/\/kb.lagonet.vn\/?p=1476","title":{"rendered":"K8s service account"},"content":{"rendered":"\n<p>B\u1ea1n \u0111\u00e3 cung c\u1ea5p b\u00e0i lab Kubernetes (K8s). T\u00f4i s\u1ebd h\u01b0\u1edbng d\u1eabn t\u1eebng b\u01b0\u1edbc \u0111\u1ec3 th\u1ef1c hi\u1ec7n b\u00e0i lab n\u00e0y.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">B\u01b0\u1edbc 1: <strong>ServiceAccount<\/strong><\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Ki\u1ec3m tra ServiceAccount (SA):<\/strong>\n<ul class=\"wp-block-list\">\n<li>Ki\u1ec3m tra SA trong namespace <code>default<\/code>: <code>kubectl get sa<\/code><\/li>\n\n\n\n<li>Ki\u1ec3m tra SA trong namespace kh\u00e1c (vd: <code>pyapp-ns-pnh<\/code>): <code>kubectl get sa -n pyapp-ns-pnh<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Xem th\u00f4ng tin file mount trong Pod:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Truy c\u1eadp Pod: <code>kubectl exec -it pyapp-deployment-7c86b4cfff-b9n8g -n pyapp-ns-pnh -- \/bin\/sh<\/code><\/li>\n\n\n\n<li>Li\u1ec7t k\u00ea v\u00e0 ki\u1ec3m tra n\u1ed9i dung file: <code>ls \/var\/run\/secrets\/kubernetes.io\/serviceaccount cat \/var\/run\/secrets\/kubernetes.io\/serviceaccount\/token cat \/var\/run\/secrets\/kubernetes.io\/serviceaccount\/ca.crt<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Ki\u1ec3m tra Pod \u0111ang d\u00f9ng ServiceAccount n\u00e0o:<\/strong> <code>kubectl get pod -n pyapp-ns-pnh -o yaml pyapp-deployment-7c86b4cfff-b9n8g | grep serviceAccount<\/code><\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">B\u01b0\u1edbc 2: <strong>C\u1eadp nh\u1eadt ImagePullSecrets<\/strong><\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Th\u00eam <code>imagePullSecrets<\/code> v\u00e0o namespace:<\/strong> <code>kubectl patch serviceaccount default -p '{\"imagePullSecrets\": [{\"name\": \"registry-pnh-secret\"}]}' -n pyapp-ns-pnh<\/code><\/li>\n\n\n\n<li><strong>X\u00e1c minh c\u1ea5u h\u00ecnh:<\/strong> <code>kubectl get sa default -o yaml -n pyapp-ns-pnh<\/code><\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">B\u01b0\u1edbc 3: <strong>X\u00f3a v\u00e0 c\u1eadp nh\u1eadt Deployment<\/strong><\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>X\u00f3a Deployment hi\u1ec7n t\u1ea1i:<\/strong> <code>kubectl delete -f deploypython.yaml<\/code><\/li>\n\n\n\n<li><strong>Ch\u1ec9nh s\u1eeda file <code>deploypython.yaml<\/code>:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Th\u00eam th\u00f4ng tin <code>imagePullSecrets<\/code>: <code>imagePullSecrets: - name: registry-pnh-secret<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Tri\u1ec3n khai l\u1ea1i Deployment:<\/strong> <code>kubectl apply -f deploypython.yaml<\/code><\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">B\u01b0\u1edbc 4: <strong>ServiceAccount m\u1eb7c \u0111\u1ecbnh<\/strong><\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Ki\u1ec3m tra Pod \u0111\u00e3 ch\u1ea1y th\u00e0nh c\u00f4ng:<\/strong> <code>kubectl get pod -n pyapp-ns-pnh<\/code><\/li>\n\n\n\n<li><strong>L\u00fd thuy\u1ebft:<\/strong>\n<ul class=\"wp-block-list\">\n<li>ServiceAccount m\u1eb7c \u0111\u1ecbnh kh\u00f4ng c\u00f3 quy\u1ec1n truy c\u1eadp API Server tr\u1eeb khi \u0111\u01b0\u1ee3c c\u1ea5u h\u00ecnh RBAC.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">B\u01b0\u1edbc 5: <strong>RBAC (Role-Based Access Control)<\/strong><\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>T\u1ea1o Role v\u00e0 ClusterRoleBinding:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Xem t\u00e0i nguy\u00ean kh\u1ea3 d\u1ee5ng: <code>kubectl api-resources -o wide<\/code><\/li>\n\n\n\n<li>T\u1ea1o Role cho namespace <code>test-ns<\/code>: <code>kubectl create ns test-ns kubectl run svcurl --image=luksa\/kubectl-proxy:curl -i --tty -n test-ns<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">B\u01b0\u1edbc 6: <strong>T\u1ea1o Role<\/strong><\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>File <code>role1.yaml<\/code>:<\/strong> <code>apiVersion: rbac.authorization.k8s.io\/v1 kind: Role metadata: namespace: pyapp-ns-pnh name: pod-reader rules: - apiGroups: [\"\"] verbs: [\"get\", \"list\"] resources: [\"pods\"]<\/code><\/li>\n\n\n\n<li><strong>\u00c1p d\u1ee5ng Role:<\/strong> <code>kubectl apply -f role1.yaml<\/code><\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">B\u01b0\u1edbc 7: <strong>T\u1ea1o RoleBinding<\/strong><\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>File <code>rolebind.yaml<\/code>:<\/strong> <code>apiVersion: rbac.authorization.k8s.io\/v1 kind: RoleBinding metadata: name: test-role namespace: pyapp-ns-pnh roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: pod-reader subjects: - kind: ServiceAccount name: default namespace: test-ns<\/code><\/li>\n\n\n\n<li><strong>\u00c1p d\u1ee5ng RoleBinding:<\/strong> <code>kubectl apply -f rolebind.yaml<\/code><\/li>\n<\/ol>\n\n\n\n<p>N\u1ebfu c\u1ea7n gi\u1ea3i th\u00edch th\u00eam ho\u1eb7c g\u1eb7p kh\u00f3 kh\u0103n \u1edf b\u01b0\u1edbc n\u00e0o, b\u1ea1n h\u00e3y h\u1ecfi nh\u00e9!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>B\u1ea1n \u0111\u00e3 cung c\u1ea5p b\u00e0i lab Kubernetes (K8s). T\u00f4i s\u1ebd h\u01b0\u1edbng d\u1eabn t\u1eebng b\u01b0\u1edbc \u0111\u1ec3 th\u1ef1c hi\u1ec7n b\u00e0i lab n\u00e0y. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[141,143],"tags":[],"class_list":["post-1476","post","type-post","status-publish","format-standard","hentry","category-devops","category-k8s"],"_links":{"self":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/posts\/1476","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1476"}],"version-history":[{"count":1,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/posts\/1476\/revisions"}],"predecessor-version":[{"id":1477,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/posts\/1476\/revisions\/1477"}],"wp:attachment":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1476"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1476"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1476"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}