容器禁用服务帐户 [英] container disable service account

问题描述

我有一些容器，供用户在其中运行代码.为了加强安全性，我想阻止他们通过服务帐户机制访问kubernetes api，但不想在全球范围内将其关闭.该文档说您可以切换服务帐户名称，但只能切换为另一个有效名称.我错过了其他选择吗?您可以限制该帐户拥有0个权限吗?您是否可以将另一块的空间写满，从而使音量过大?还有其他想法吗?

I have some containers that will be runnin users code in them. In order to strengthen security, I want to prevent them from having access to kubernetes api via the service account mechanism, but don't want to turn it off globally. The documentation says you can switch the service account name but only to another valid name. Are there alternatives that I missed? Can you restrict the account to have 0 permissions? Can you overmount the volume with a different one thats empty? Any other ideas?

推荐答案

在Kubernetes 1.6+中，您可以禁用在Pod上安装服务帐户:

In Kubernetes 1.6+, you can disable service account mounting on a Pod:

apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  automountServiceAccountToken: false
  ...

请参见 https://kubernetes.io/docs /tasks/configure-pod-container/configure-service-account/

这篇关于容器禁用服务帐户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！