๋กœ์ผ“๐Ÿพ
article thumbnail

 

 

์ฟ ๋ฒ„๋„คํ‹ฐ์Šค๋ฅผ ๊ณต๋ถ€ํ•˜๋ฉด์„œ ์ฒ˜์Œ User Account ์™€ Service Account ๋ฅผ ์ ‘ํ–ˆ์„ ๋•Œ ๋‹จ์ˆœํžˆ ์ฟ ๋ฒ„๋„คํ‹ฐ์Šค API ์„œ๋ฒ„์—๊ฒŒ ์ž๊ฒฉ ์ฆ๋ช…ํ•˜๋Š” ๋ฆฌ์†Œ์Šค์ธ๊ฐ€๋ณด๋‹ค ํ•˜๊ณ  ๋„˜์–ด๊ฐ”๋˜ ์ ์ด ์žˆ์Šต๋‹ˆ๋‹ค. ์ดํ•ด๊ฐ€ ์•ˆ๋˜์„œ ๊ทธ๋ƒฅ ๋„˜์–ด๊ฐ”๋˜..

 

๊ทธ๋ž˜์„œ User Account ๋ž‘ Service Account ๋Š” ๋น„์Šทํ•œ๊ฑฐ !! ๊ฐ™์€ ๊ฑฐ !! ๋ผ๋Š” ์ƒ๊ฐ์„ ๊ฐ€์ง€๊ณ  ์žˆ์—ˆ์ฃ .. ํ•˜์ง€๋งŒ ์ด ๋‘˜์€ ๋ถ„๋ช… ๋‹ค๋ฆ…๋‹ˆ๋‹ค.

 

์ฟ ๋ฒ„๋„คํ‹ฐ์Šค์—๋Š” ์ฟ ๋ฒ„๋„คํ‹ฐ์Šค ๋‚ด์— ์กด์žฌํ•˜๋Š” ์ž์›์— ๋Œ€ํ•œ ์ ‘๊ทผ์„ ์œ„ํ•œ 2๊ฐ€์ง€์˜ account ํƒ€์ž…์ด ์กด์žฌํ•ฉ๋‹ˆ๋‹ค.

  • User Account
  • Service Account

์ฟ ๋ฒ„๋„คํ‹ฐ์Šค ๊ณต์‹ ๋ฌธ์„œ์—๋Š” ์ด์™€ ๊ฐ™์ด ๋‚˜์™€์žˆ์Šต๋‹ˆ๋‹ค.

์‚ฌ์šฉ์ž ์–ด์นด์šดํŠธ๋Š” ์‚ฌ๋žŒ์„ ์œ„ํ•œ ๊ฒƒ์ด๋‹ค. ์„œ๋น„์Šค ์–ด์นด์šดํŠธ๋Š” ํŒŒ๋“œ์—์„œ ์‹คํ–‰๋˜๋Š” ํ”„๋กœ์„ธ์Šค๋ฅผ ์œ„ํ•œ ๊ฒƒ์ด๋‹ค.

100% ๋งž๋Š” ๋ง์ด์ง€๋งŒ, ์ฒ˜์Œ ์ ‘ํ•œ๋‹ค๋ฉด ์ž˜ ์ดํ•ด๊ฐ€ ๋˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค. ์ € ๋˜ํ•œ ๊ทธ๋žฌ๊ณ ์š” ๐Ÿค”

 

AWS ๋ฅผ ๊ฐ€์ง€๊ณ  ์˜ˆ๋ฅผ ๋“ค์–ด๋ณด์ฃ  !

์‚ฌ์šฉ์ž๊ฐ€ aws ์—๊ฒŒ ์ธ์ฆ์„ ์š”๊ตฌ์ค‘

์šฐ๋ฆฌ๊ฐ€ AWS ํ™ˆํŽ˜์ด์ง€์— ๋“ค์–ด๊ฐ€๊ฒŒ ๋œ๋‹ค๋ฉด, ๊ฐ€์žฅ ๋จผ์ € ํ•ด์•ผํ•  ๊ฒƒ์€ ๋กœ๊ทธ์ธ ์ผ ๊ฒƒ์ž…๋‹ˆ๋‹ค.

๋กœ๊ทธ์ธ ํ†ตํ•ด์„œ AWS ์—๊ฒŒ ์šฐ๋ฆฌ๊ฐ€ ๋ˆ„๊ตฐ์ง€ ์ฆ๋ช…์„ ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

 

๋กœ๊ทธ์ธ ํ›„ EC2 ๋ฅผ ์ด์šฉํ•ฉ๋‹ˆ๋‹ค. EC2 ๋Š” ๊ฐ€์ƒ ๋จธ์‹ ์„ ๋นŒ๋ ค์ฃผ๋Š” ์„œ๋น„์Šค์ž…๋‹ˆ๋‹ค. ๊ทธ๋ฆฌ๊ณ  ssh ๋ฅผ ํ†ตํ•ด EC2 ์— ์ ‘์†ํ•ฉ๋‹ˆ๋‹ค.

EC2 ์—์„œ ์šฐ๋ฆฌ๋Š” S3 ์— ์กด์žฌํ•˜๋Š” test.img ๋ฅผ ์‚ฌ์šฉํ•˜๋ ค๊ณ  ํ•ฉ๋‹ˆ๋‹ค.

 

EC2 ๊ฐ€ S3 ์—๊ฒŒ ๊ฑฐ์ ˆ๋‹นํ•˜๋Š” ์ค‘

ํ•˜์ง€๋งŒ EC2 ์—์„  S3 ์— ์ ‘๊ทผ์ด ๋ถˆ๊ฐ€๋Šฅํ•˜์ฃ . ์™œ๋ƒ EC2 ๋Š” S3 ์— ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ๋Š” ๊ถŒํ•œ์ด ์—†๊ธฐ ๋•Œ๋ฌธ์ž…๋‹ˆ๋‹ค.

AWS IAM ์„ ํ†ตํ•ด EC2 ๊ฐ€ S3 ์— ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ๋‹ค๋Š” ๊ฒƒ์„ ์ฆ๋ช…ํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.

 

๋กœ๊ทธ์ธ ํ†ตํ•ด์„œ AWS ์—๊ฒŒ ์šฐ๋ฆฌ๊ฐ€ ๋ˆ„๊ตฐ์ง€ ์ฆ๋ช…์˜ ์ฃผ์ฒด๊ฐ€ User Account (์œ ์ € ์–ด์นด์šดํŠธ),

EC2 ๊ฐ€ S3 ์— ์ ‘๊ทผํ•˜๊ธฐ ์œ„ํ•ด ํ•˜๋Š” ์ฆ๋ช… ์ฃผ์ฒด๊ฐ€ Service Account (์„œ๋น„์Šค ์–ด์นด์šดํŠธ) ์ž…๋‹ˆ๋‹ค.

 

์ด๋ฅผ ์ฟ ๋ฒ„๋„คํ‹ฐ์Šค์— ๋Œ€์ž…ํ•ด๋ณธ๋‹ค๋ฉด.. ๐Ÿ™ƒ

 

์ฟ ๋ฒ„๋„คํ‹ฐ์Šค์— ํ• ๋‹น๋œ ์œ ์ €๊ฐ€ User Account (์œ ์ € ์–ด์นด์šดํŠธ),

Pod ๊ฐ€ ๋‹ค๋ฅธ ์ฟ ๋ฒ„๋„คํ‹ฐ์Šค ์ž์› (Pods, Services ..) ์— ์ ‘๊ทผํ•˜๊ธฐ ์œ„ํ•ด ํ•˜๋Š” ์ฆ๋ช… ์ฃผ์ฒด๊ฐ€ Service Account (์„œ๋น„์Šค ์–ด์นด์šดํŠธ) ์ž…๋‹ˆ๋‹ค.

 

์•„์ง ๊ฐ์ด ์ž˜ ์•ˆ์˜ค์‹œ๋‚˜์š”? ๐Ÿ˜…

 

๊ทธ๋Ÿผ ํ•œ๋ฒˆ ์‹ค์ œ๋กœ ์ ์šฉํ•ด๋ณด์ฃ  !

 

apiVersion: v1
kind: ServiceAccount
metadata:
  name: service-account-example-sa
  namespace: sample

Service Account ๋ฅผ ์ƒ์„ฑํ•ด์ค๋‹ˆ๋‹ค.

 

Service Account ๋ฅผ ์ƒ์„ฑํ•˜๊ฒŒ ๋˜๋ฉด Secret ์œผ๋กœ Token ์ด ํ•˜๋‚˜ ์ž๋™์œผ๋กœ ์ƒ์„ฑ๋˜๋Š”๋ฐ์š”, ์ด Token ์„ ์ด์šฉํ•ด์„œ ์ฟ ๋ฒ„๋„คํ‹ฐ์Šค์—๊ฒŒ ์ž๊ฒฉ ์ฆ๋ช…์„ ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

 

โœ… ์ฟ ๋ฒ„๋„คํ‹ฐ์Šค v1.24 ์ด์ƒ๋ถ€ํ„ฐ๋Š” ์ž๋™์œผ๋กœ Secret ์ด ์ƒ์„ฑ๋˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค

 

apiVersion: apps/v1
kind: Deployment
metadata:
  name: service-account-example
  namespace: sample
  labels:
    app: service-account-example
spec:
  replicas: 1
  selector:
    matchLabels:
      app: service-account-example
  template:
    metadata:
      labels:
        app: service-account-example
    spec:
      serviceAccountName: service-account-example-sa # SA ๋ฅผ ์ง€์ •ํ•ด์ค๋‹ˆ๋‹ค
      containers:
        - name: nginx
          image: nginx:latest
          ports:
            - containerPort: 80

Deployment ๋„ ์ƒ์„ฑํ•ด์ฃผ์ฃ  ๐Ÿคœ

 

๋ˆˆ ์—ฌ๊ฒจ ๋ณผ ๊ฒƒ์ด ์žˆ์Šต๋‹ˆ๋‹ค. ๋ฐ”๋กœ ๋ฐฐํฌ๋œ Pod ์— Service Account ๊ฐ€ ๋งˆ์šดํŠธ ๋œ๋‹ค๋Š” ์ ์ด์ฃ  โšกโšก

Containers:
  nginx:
    Container ID:   docker://67919bf2e0cbcb079bf7a696fef23fd25d3e48691cb2329ac0dd761a251fd8a1
    Image:          nginx:latest
    Image ID:       docker-pullable://nginx@sha256:e209ac2f37c70c1e0e9873a5f7231e91dcd83fdf1178d8ed36c2ec09974210ba
    Port:           80/TCP
    Host Port:      0/TCP
    State:          Running
      Started:      Sun, 20 Nov 2022 14:47:02 +0900
    Ready:          True
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-pclnt (ro)

 ๊ทธ๋Ÿผ ์ € ๊ฒฝ๋กœ์— ์žˆ๋Š” ๊ฒƒ์ด ๋ฌด์—‡์ธ์ง€ ๋ฐ”๋กœ ํ™•์ธ ํ•ด๋ด์•ผ๊ฒ ์ฃ ? ๐Ÿ˜

 

root@service-account-example-558865ff7d-vx5gl:/var/run/secrets/kubernetes.io/serviceaccount# ls -l
total 0
lrwxrwxrwx 1 root root 13 Nov 20 05:46 ca.crt -> ..data/ca.crt
lrwxrwxrwx 1 root root 16 Nov 20 05:46 namespace -> ..data/namespace
lrwxrwxrwx 1 root root 12 Nov 20 05:46 token -> ..data/token

์•„ํ•˜ ๐Ÿ’ก ๋ฐ”๋กœ ์ €๊ธฐ์— ์ฟ ๋ฒ„๋„คํ‹ฐ์Šค API ์„œ๋ฒ„์™€ ํ†ต์‹ ํ•  ์ˆ˜ ์žˆ๋Š” Token ์ด ์žˆ์Šต๋‹ˆ๋‹ค.

 

๊ทธ๋Ÿผ ์ง„์งœ์ธ์ง€ ํ•œ๋ฒˆ ํ™•์ธํ•ด๋ณผ๊นŒ์š”?

 

$ TOKEN=$(cat token)
$ curl -X GET https://$KUBERNETES_SERVICE_HOST/api/v1/namespaces/default/pods --header "Authorization: Bearer $TOKEN" --insecure
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "pods is forbidden: User \"system:serviceaccount:sample:service-account-example-sa\" cannot list resource \"pods\" in API group \"\" in the namespace \"default\": RBAC: clusterrole.rbac.authorization.k8s.io \"service-account-example-role\" not found",
  "reason": "Forbidden",
  "details": {
    "kind": "pods"
  },
  "code": 403
}

401 (Unauthorized) ๊ฐ€ ์•„๋‹Œ 403 (Forbidden) ์ด ์˜จ ๊ฒƒ์„ ๋ณด๋‹ˆ ์ธ์ฆ์€ ๋˜์—ˆ๋‚˜ ๋ด…๋‹ˆ๋‹ค ๐Ÿ”ฅ

 

์ด๋Œ€๋กœ๋Š” ์•„์‰ฌ์šฐ๋‹ˆ ๊ทธ๋Ÿผ ํ•œ๋ฒˆ ์œ„์—์„œ ๋ฐฐํฌํ•œ Pod ์˜ ๋ฆฌ์ŠคํŠธ๋ฅผ ๊ฐ€์ ธ์™€๋ณด์ฃ  !

์œ„์—์„œ ์ƒ์„ฑํ•œ Service Account ๋Š” ์ž๊ฒฉ ์ฆ๋ช…๋งŒ ๊ฐ€๋Šฅํ•  ๋ฟ ํ˜„์žฌ ์–ด๋– ํ•œ ๊ถŒํ•œ๋„ ์—†์Šต๋‹ˆ๋‹ค. ( Pods list, create, update .. ๋“ฑ)

 

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: service-account-example-role
  namespace: sample
rules:
  - apiGroups: [""] 
    resources: ["pods"]
    verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: service-account-example-role-binding
  namespace: sample 
subjects:
  - kind: ServiceAccount
    name: service-account-example-sa 
    namespace: sample
roleRef:
  kind: Role 
  name: service-account-example-role 
  apiGroup: rbac.authorization.k8s.io

Role ์„ ์ƒ์„ฑํ•˜์—ฌ Service Account ์™€ Role Binding ํ•ด์ค๋‹ˆ๋‹ค.

 

โœ… Role ์€ ํ˜„์žฌ pods ์— ๋Œ€ํ•ด ["get", "watch", "list"] ๊ฐ€ ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค

 

$ curl -X GET https://$KUBERNETES_SERVICE_HOST/api/v1/namespaces/default/pods --header "Authorization: Bearer $TOKEN" --insecure

์—ฌ์ „ํžˆ Forbidden ์ด ๋˜๋Š” ๊ฑธ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋Š”๋ฐ, ์ด๋Š” ๋ฐ”๋กœ Role ์˜ ๊ธฐ๋Šฅ ๋•Œ๋ฌธ์ž…๋‹ˆ๋‹ค. Cluster Role ๊ณผ ๋‹ฌ๋ฆฌ Role ์€ ํŠน์ • Namespace ์— ๋Œ€ํ•ด์„œ๋งŒ ์ž‘์—…์„ ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๋”ฐ๋ผ์„œ default NameSpace ๊ฐ€ ์•„๋‹Œ sample NameSpace ๋กœ ์š”์ฒญ์„ ๋ณด๋‚ด๋ด…์‹œ๋‹ค !

 

$ curl -X GET https://$KUBERNETES_SERVICE_HOST/api/v1/namespaces/sample/pods --header "Authorization: Bearer $TOKEN" --insecure
{
  "kind": "PodList",
  "apiVersion": "v1",
  "metadata": {
    "resourceVersion": "6608823"
  },
  "items": [
    {
      "metadata": {
        "name": "service-account-example-558865ff7d-vx5gl",
        "generateName": "service-account-example-558865ff7d-",
        "namespace": "sample",
        "uid": "c85ffc48-affb-4977-8686-657644717c0e",
        "resourceVersion": "6604097",
        "creationTimestamp": "2022-11-20T05:46:59Z",
        
        ....

200 ์š”์ฒญ์ด ์™”์Šต๋‹ˆ๋‹ค ๐Ÿ’ต

 

์‹ค์Šต์˜ ๊ณผ์ •์„ ํ•œ๋ฒˆ ์ •๋ฆฌํ•ด๋ณด์ฃ  ๐Ÿ™†‍โ™‚๏ธ

  1. Service Account ์™€ Pods ๋ฅผ ์ƒ์„ฑํ–ˆ์Šต๋‹ˆ๋‹ค
  2. Pods ์— Service Account ๊ฐ€ ์ž๋™์œผ๋กœ ๋งˆ์šดํŠธ๋˜๊ณ  ์ด๊ณณ์— Token ์ด ์กด์žฌํ•ฉ๋‹ˆ๋‹ค
  3. Pods ์— ์ ‘์†ํ•ด์„œ curl ๋ช…๋ น์–ด๋ฅผ ๋‚ ๋ ธ์ง€๋งŒ Service Account ๋Š” ์ž๊ฒฉ ์ฆ๋ช…๋งŒ ๋œ ์ƒํƒœ์ด๊ณ  ๊ถŒํ•œ์€ ์—†์Šต๋‹ˆ๋‹ค
  4. Role ๊ณผ Role Binding ์„ ์ƒ์„ฑํ•ด์„œ Service Account ์— ๊ถŒํ•œ๋„ ๋ถ€์—ฌํ•ด์ค๋‹ˆ๋‹ค
  5. ๋‹ค์‹œ Pods ์ ‘์† ํ›„ curl ๋ช…๋ น์–ด๋ฅผ ๋‚ ๋ฆฌ๋ฉด 200 ์‘๋‹ต ์ƒํƒœ๊ฐ€ ์˜ต๋‹ˆ๋‹ค

 

์ด์ œ User Account ์™€ Service Account ์˜ ์ฐจ์ด์ ์ด ๋ฌด์—‡์ธ์ง€ ํ™•์‹คํžˆ ๊ฐ์ด ์™”์„๊ฑฐ๋ผ ์ƒ๊ฐํ•ฉ๋‹ˆ๋‹ค ๐Ÿ˜‰

 

 

profile on loading

Loading...