環境
- kubernetes 1.20.6
- Spring Boot 2.5.0-RC1
目標
automountServiceAccountToken 表示是否將服務賬號默認掛載到 Pod 中,默認是 true。
pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: spring-k8s
spec:
containers:
- name: spring-k8s
image: jiangbo920827/spring-k8s:liveness
ports:
- containerPort: 8080
查看
[root@master ~]# kubectl describe pod spring-k8s
Name: spring-k8s
Namespace: default
Priority: 0
...
Volumes:
default-token-slbq5:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-slbq5
Optional: false
QoS Class: BestEffort
...
[root@master ~]# kubectl exec spring-k8s -- ls -l /var/run/secrets/kubernetes.io/serviceaccount
total 0
lrwxrwxrwx 1 root root 13 May 30 15:24 ca.crt -> ..data/ca.crt
lrwxrwxrwx 1 root root 16 May 30 15:24 namespace -> ..data/namespace
lrwxrwxrwx 1 root root 12 May 30 15:24 token -> ..data/token
automountServiceAccountToken
apiVersion: v1
kind: Pod
metadata:
name: spring-k8s
spec:
automountServiceAccountToken: false
containers:
- name: spring-k8s
image: jiangbo920827/spring-k8s:liveness
ports:
- containerPort: 8080
服務賬號並不會自動掛載到 Pod 中。
總結
將默認掛載到 Pod 中的服務賬號移除。