Many articles talked about using service account and how service account secrets get mounted onto a pod (every pod will have a service account secret mounted to it even if you never reference one), but not many really talked about how these mounted tokens or secrets get used.
Here I will talk about this little missed step.
When a pod gets created, k8s will always mount a service account (default service account if not one specified), which will mount the service account secret onto a path like this by default:
rootCAFile = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
| tokenFile = "/var/run/secrets/kubernetes.io/serviceaccount/token" | ||||||||||||||
The magic for applications like K8S operators simply uses client class to do all sort of operations against k8s is because the client class actually uses this method InClusterConfig defined in client-go/rest/config.go file which will read secrets and tokens to return the in cluster configuration, then go on to authenticate with K8S API server for operations such as get, create, list K8S resources. Here is link to the method https://github.com/kubernetes/client-go/blob/v0.21.2/rest/config.go#L483 In this method, it will read the environment variables such as KUBERNETES_SERVICE_HOST, KUBERNETES_SERVICE_PORT to get K8S API server, read the token file, create tls configuration, then return this kube configuration file.
kubernetes python client package does the same thing, in this file
https://github.com/kubernetes-client/python-base/blob/master/config/incluster_config.py
Exactly same logic gets used to deal with service account secret and token.
|
|||
NJ Casinos - Dr.MCD
ReplyDeleteThe most popular gambling software — 의왕 출장안마 the online slot machine. 하남 출장마사지 Most of the time, 순천 출장샵 it's a blackjack machine 의정부 출장샵 that you can 군포 출장안마 play at the casino. But when you're in need of