一、ServiceAccount增删改查¶

1.1 增¶

方式一：通过 kubectl 命令直接创建

# 创建名为zq的ServiceAccount
[root@k8s-master01 ~]# k create sa zq

方式二：通过 YAML 文件创建

# 编写yaml文件
vim serviceaccount.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-sa
  namespace: default  # 可选，默认为 default

# 应用
kubectl apply -f serviceaccount.yaml

1.2 删¶

1、删除 SA（默认删除关联的 Secret）

[root@k8s-master01 ~]# k delete sa zq

2、强制删除 SA 及其依赖资源（谨慎使用）

[root@k8s-master01 ~]# k delete sa zq --cascade=foreground

1.3 改¶

1、添加标签

[root@k8s-master01 ~]# kubectl label sa zq env=prod

2、添加注解（Annotation）

[root@k8s-master01 ~]# kubectl annotate serviceaccount zq description="用于生产环境的SA"

拓展-手动关联 Secret（1.24+ 版本）

如果需要为 SA 绑定长期有效的 Token，需手动创建 Secret 并关联：

# 定义manual-secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: my-sa-secret
  annotations:
    kubernetes.io/service-account.name: zq
type: kubernetes.io/service-account-token

# 应用
kubectl apply -f manual-secret.yaml

1.4 查¶

1、查看所有 SA

[root@k8s-master01 ~]# kg sa -A

2、查看指定SA的详细信息

[root@k8s-master01 ~]# k describe sa zq
Name:                zq
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   <none>
Tokens:              <none>
Events:              <none>

3、查看SA关联的Secret（仅 1.24 之前版本自动生成）

[root@k8s-master01 ~]# kg secrets | grep zq

二、使用Secret存储ServiceAccount Token¶

1、定义zq-token-secret.yaml

[root@k8s-master01 ~]# vim zq-token-secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: zq-token-secret
  annotations:
    kubernetes.io/service-account.name: zq
type: kubernetes.io/service-account-token

2、创建secret

[root@k8s-master01 ~]# kaf zq-token-secret.yaml

3、查看生成的Token

[root@k8s-master01 ~]# kg secret  zq-token-secret
NAME              TYPE                                  DATA   AGE
zq-token-secret   kubernetes.io/service-account-token   3      98s

[root@k8s-master01 ~]# k describe  secret  zq-token-secret
Name:         zq-token-secret
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: zq
              kubernetes.io/service-account.uid: 0024e7bb-fe29-4d95-a5c4-72300f271481

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1107 bytes
namespace:  7 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IjdxMWhLWkVpd0t3ZVpNNmdNNmhJdkdOaldfVzA0MTJySm84ZkpMbFhvLVkifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InpxLXRva2VuLXNlY3JldCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJ6cSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjAwMjRlN2JiLWZlMjktNGQ5NS1hNWM0LTcyMzAwZjI3MTQ4MSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OnpxIn0.PxiDjkNTRticLwqsMwFtLFT2lSmGzgzAe2MWpq_HGEnN3kCKMjIzvFQnGvoXcMEOQiDOtJz5zsAgjOUWZ_vTAWTYv5cbPzWvz1-bMhECXEmmGX0LpGqRGefGuYPhYzDViyEQvm4XIQayTXkQ6H7uuyLzIXsNDxT2CjLokATExerrLRDVfF_vEEIlHw-QgYXg91nim11VmJnMf_oczIgt9aJEHQvp4kNLUO3X35520aEF5OY-jmMNowfzSSdeb2vpu9uJKPvSMeFeshoI_5_1XsAGUtuAa05E7QS47grr4SglX0UXJ5RyBV79IPbFUAKOT9ocfi87XlPiuviCsgsMjg

Kubernetes ServiceAccount实战：增删改查与Token管理