Red Hat Summit11.8. 관리형 서비스 계정(기술 프리뷰)
11.8.1. 개요
이 문서는 Kubernetes Operator용 다중 클러스터 엔진의 ManagedServiceAccount 리소스에 대한 것입니다. ManagedServiceAccount 리소스에는 생성, 쿼리, 삭제, 업데이트 등 네 가지 요청이 있습니다.
11.8.1.1. URI 스키마
BasePath : /kubernetes/apis
Schemes : HTTPS
11.8.1.2. 태그
-
Managed
serviceaccounts.multicluster.openshift.io':ManagedServiceAccounts생성 및 관리
11.8.2. 경로
11.8.2.1. Create a ManagedServiceAccount
POST /apis/multicluster.openshift.io/v1alpha1/ManagedServiceAccounts
11.8.2.1.1. 설명
ManagedServiceAccount 를 생성합니다.
11.8.2.1.2. 매개 변수
| 유형 | 이름 | 설명 | 스키마 |
|---|---|---|---|
| header |
COOKIE | 권한 부여: 베어러 {ACCESS_TOKEN} ; ACCESS_TOKEN은 사용자 액세스 토큰입니다. | string |
| body |
본문 | 생성할 ManagedServiceAccount를 설명하는 매개변수입니다. | ManagedServiceAccount |
11.8.2.1.3. 응답
| HTTP 코드 | 설명 | 스키마 |
|---|---|---|
| 200 | 성공 | 콘텐츠 없음 |
| 403 | 액세스 금지 | 콘텐츠 없음 |
| 404 | 리소스를 찾을 수 없음 | 콘텐츠 없음 |
| 500 | 내부 서비스 오류 | 콘텐츠 없음 |
| 503 | 서비스를 사용할 수 없음 | 콘텐츠 없음 |
11.8.2.1.4. Use
-
managedserviceaccount/yaml
11.8.2.1.5. 태그
- managedserviceaccount.multicluster.openshift.io
11.8.2.1.5.1. 요청 본문
{
"apiVersion": "apiextensions.k8s.io/v1",
"kind": "CustomResourceDefinition",
"metadata": {
"annotations": {
"controller-gen.kubebuilder.io/version": "v0.4.1"
},
"creationTimestamp": null,
"name": "managedserviceaccount.authentication.open-cluster-management.io"
},
"spec": {
"group": "authentication.open-cluster-management.io",
"names": {
"kind": "ManagedServiceAccount",
"listKind": "ManagedServiceAccountList",
"plural": "managedserviceaccounts",
"singular": "managedserviceaccount"
},
"scope": "Namespaced",
"versions": [
{
"name": "v1alpha1",
"schema": {
"openAPIV3Schema": {
"description": "ManagedServiceAccount is the Schema for the managedserviceaccounts\nAPI",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation\nof an object. Servers should convert recognized schemas to the latest\ninternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this\nobject represents. Servers may infer this from the endpoint the client\nsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "ManagedServiceAccountSpec defines the desired state of ManagedServiceAccount",
"properties": {
"rotation": {
"description": "Rotation is the policy for rotation the credentials.",
"properties": {
"enabled": {
"default": true,
"description": "Enabled prescribes whether the ServiceAccount token\nwill be rotated from the upstream",
"type": "boolean"
},
"validity": {
"default": "8640h0m0s",
"description": "Validity is the duration for which the signed ServiceAccount\ntoken is valid.",
"type": "string"
}
},
"type": "object"
},
"ttlSecondsAfterCreation": {
"description": "ttlSecondsAfterCreation limits the lifetime of a ManagedServiceAccount.\nIf the ttlSecondsAfterCreation field is set, the ManagedServiceAccount\nwill be automatically deleted regardless of the ManagedServiceAccount's\nstatus. When the ManagedServiceAccount is deleted, its lifecycle\nguarantees (e.g. finalizers) will be honored. If this field is unset,\nthe ManagedServiceAccount won't be automatically deleted. If this\nfield is set to zero, the ManagedServiceAccount becomes eligible\nfor deletion immediately after its creation. In order to use ttlSecondsAfterCreation,\nthe EphemeralIdentity feature gate must be enabled.",
"exclusiveMinimum": true,
"format": "int32",
"minimum": 0,
"type": "integer"
}
},
"required": [
"rotation"
],
"type": "object"
},
"status": {
"description": "ManagedServiceAccountStatus defines the observed state of\nManagedServiceAccount",
"properties": {
"conditions": {
"description": "Conditions is the condition list.",
"items": {
"description": "Condition contains details for one aspect of the current\nstate of this API Resource. --- This struct is intended for direct\nuse as an array at the field path .status.conditions. For example,\ntype FooStatus struct{ // Represents the observations of a\nfoo's current state. // Known .status.conditions.type are:\n\"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type\n // +patchStrategy=merge // +listType=map // +listMapKey=type\n Conditions []metav1.Condition `json:\"conditions,omitempty\"\npatchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n // other fields }",
"properties": {
"lastTransitionTime": {
"description": "lastTransitionTime is the last time the condition\ntransitioned from one status to another. This should be when\nthe underlying condition changed. If that is not known, then\nusing the time when the API field changed is acceptable.",
"format": "date-time",
"type": "string"
},
"message": {
"description": "message is a human readable message indicating\ndetails about the transition. This may be an empty string.",
"maxLength": 32768,
"type": "string"
},
"observedGeneration": {
"description": "observedGeneration represents the .metadata.generation\nthat the condition was set based upon. For instance, if .metadata.generation\nis currently 12, but the .status.conditions[x].observedGeneration\nis 9, the condition is out of date with respect to the current\nstate of the instance.",
"format": "int64",
"minimum": 0,
"type": "integer"
},
"reason": {
"description": "reason contains a programmatic identifier indicating\nthe reason for the condition's last transition. Producers\nof specific condition types may define expected values and\nmeanings for this field, and whether the values are considered\na guaranteed API. The value should be a CamelCase string.\nThis field may not be empty.",
"maxLength": 1024,
"minLength": 1,
"pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$",
"type": "string"
},
"status": {
"description": "status of the condition, one of True, False, Unknown.",
"enum": [
"True",
"False",
"Unknown"
],
"type": "string"
},
"type": {
"description": "type of condition in CamelCase or in foo.example.com/CamelCase.\n--- Many .condition.type values are consistent across resources\nlike Available, but because arbitrary conditions can be useful\n(see .node.status.conditions), the ability to deconflict is\nimportant. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)",
"maxLength": 316,
"pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$",
"type": "string"
}
},
"required": [
"lastTransitionTime",
"message",
"reason",
"status",
"type"
],
"type": "object"
},
"type": "array"
},
"expirationTimestamp": {
"description": "ExpirationTimestamp is the time when the token will expire.",
"format": "date-time",
"type": "string"
},
"tokenSecretRef": {
"description": "TokenSecretRef is a reference to the corresponding ServiceAccount's\nSecret, which stores the CA certficate and token from the managed\ncluster.",
"properties": {
"lastRefreshTimestamp": {
"description": "LastRefreshTimestamp is the timestamp indicating\nwhen the token in the Secret is refreshed.",
"format": "date-time",
"type": "string"
},
"name": {
"description": "Name is the name of the referenced secret.",
"type": "string"
}
},
"required": [
"lastRefreshTimestamp",
"name"
],
"type": "object"
}
},
"type": "object"
}
},
"type": "object"
}
},
"served": true,
"storage": true,
"subresources": {
"status": {}
}
}
]
},
"status": {
"acceptedNames": {
"kind": "",
"plural": ""
},
"conditions": [],
"storedVersions": []
}
}11.8.2.2. 하나의 ManagedServiceAccount 쿼리
GET /cluster.open-cluster-management.io/v1alpha1/namespaces/{namespace}/managedserviceaccounts/{managedserviceaccount_name}11.8.2.2.1. 설명
자세한 내용은 하나의 ManagedServiceAccount 를 쿼리합니다.
11.8.2.2.2. 매개 변수
| 유형 | 이름 | 설명 | 스키마 |
|---|---|---|---|
| header |
COOKIE | 권한 부여: 베어러 {ACCESS_TOKEN} ; ACCESS_TOKEN은 사용자 액세스 토큰입니다. | string |
| 경로 |
managedserviceaccount_name |
쿼리할 | string |
11.8.2.2.3. 응답
| HTTP 코드 | 설명 | 스키마 |
|---|---|---|
| 200 | 성공 | 콘텐츠 없음 |
| 403 | 액세스 금지 | 콘텐츠 없음 |
| 404 | 리소스를 찾을 수 없음 | 콘텐츠 없음 |
| 500 | 내부 서비스 오류 | 콘텐츠 없음 |
| 503 | 서비스를 사용할 수 없음 | 콘텐츠 없음 |
11.8.2.2.4. 태그
- cluster.open-cluster-management.io
11.8.2.3. ManagedServiceAccount삭제
DELETE /cluster.open-cluster-management.io/v1alpha1/namespaces/{namespace}/managedserviceaccounts/{managedserviceaccount_name}11.8.2.3.1. 설명
하나의 ManagedServiceAccount 를 삭제합니다.
11.8.2.3.2. 매개 변수
| 유형 | 이름 | 설명 | 스키마 |
|---|---|---|---|
| header |
COOKIE | 권한 부여: 베어러 {ACCESS_TOKEN} ; ACCESS_TOKEN은 사용자 액세스 토큰입니다. | string |
| 경로 |
managedserviceaccount_name |
삭제할 | string |
11.8.2.3.3. 응답
| HTTP 코드 | 설명 | 스키마 |
|---|---|---|
| 200 | 성공 | 콘텐츠 없음 |
| 403 | 액세스 금지 | 콘텐츠 없음 |
| 404 | 리소스를 찾을 수 없음 | 콘텐츠 없음 |
| 500 | 내부 서비스 오류 | 콘텐츠 없음 |
| 503 | 서비스를 사용할 수 없음 | 콘텐츠 없음 |
11.8.2.3.4. 태그
- cluster.open-cluster-management.io
11.8.3. 정의
11.8.3.1. ManagedServiceAccount
| 이름 | 설명 | 스키마 |
|---|---|---|
|
apiVersion |
| string |
|
kind | REST 리소스를 나타내는 문자열 값입니다. | string |
|
메타데이터 |
| object |
|
spec |
|
