Authentication Kubernetes中的服务帐户令牌管理
参考kubernetes文档,在“使用API->访问API->身份验证->身份验证策略->服务帐户令牌”下,它说:Authentication Kubernetes中的服务帐户令牌管理,authentication,authorization,kubernetes,Authentication,Authorization,Kubernetes,参考kubernetes文档,在“使用API->访问API->身份验证->身份验证策略->服务帐户令牌”下,它说: --service-account-key-file A file containing a PEM encoded key for signing bearer tokens. If unspecified, the API server’s TLS private key will be used. You must pass a service account priva
--service-account-key-file A file containing a PEM encoded key for signing bearer tokens. If unspecified, the API server’s TLS private key will be used.
You must pass a service account private key file to the token controller in the controller-manager by using the --service-account-private-key-file option. The private key will be used to sign generated service account tokens. Similarly, you must pass the corresponding public key to the kube-apiserver using the --service-account-key-file option. The public key will be used to verify the tokens during authentication.
--service-account-key-file A file containing a PEM encoded key for signing bearer tokens. If unspecified, the API server’s TLS private key will be used.
You must pass a service account private key file to the token controller in the controller-manager by using the --service-account-private-key-file option. The private key will be used to sign generated service account tokens. Similarly, you must pass the corresponding public key to the kube-apiserver using the --service-account-key-file option. The public key will be used to verify the tokens during authentication.
请帮忙 控制器管理器创建令牌,使用私钥对其进行签名,并将其存储在机密API对象中 当令牌呈现给API服务器时,API服务器使用通过标志设置的公钥验证签名
接纳与签名或验证令牌无关。它用于在创建pod时向pod规范添加秘密卷装载,以便将服务帐户令牌装载到pod中,供应用程序与Kubernetes API对话使用谢谢,这意味着两个密钥(一个由controller mgr使用,另一个由API server使用)必须来自同一密钥对?确切地说,“对应的公钥”