Azure AKS:如何避免在集群创建期间在 "default" 命名空间中创建资源
Azure AKS: how to avoid resource creation in "default" namespace during cluster creation
我正在尝试在 Azure AKS 中创建一个 K8s 集群,当集群准备就绪时,我可以看到在 default
命名空间中创建了几个资源。秘密示例,configmap:
作为安全建议,不应在 default
命名空间下创建 k8s 资源,那么如何避免呢?它是在创建集群时默认创建的。
我发现了同样的问题 here:
用户srbose-msft(微软员工)把运行原理解释的很好:
In Kubernetes, a ServiceAccount controller
manages the ServiceAccounts inside namespaces, and ensures a ServiceAccount named "default" exists in every active namespace. [Reference]
TokenController runs as part of kube-controller-manager
. It acts asynchronously. It watches ServiceAccount creation and creates a corresponding ServiceAccount token Secret to allow API access. [Reference] Thus, the secret for the default ServiceAccount token is also created.
Trusting the custom CA from an application running as a pod usually requires some extra application configuration. You will need to add the CA certificate bundle to the list of CA certificates that the TLS client or server trusts. For example, you would do this with a golang TLS config by parsing the certificate chain and adding the parsed certificates to the RootCAs
field in the tls.Config
struct.
You can distribute the CA certificate as a ConfigMap that your pods have access to use. [Reference] AKS implements this in all active namespaces through ConfigMaps named kube-root-ca.crt
in these namespaces.
You shall also find a Service named kubernetes
in the default namespace. It has a ServiceType of ClusterIP and exposes the API Server Endpoint also named kubernetes
internally to the cluster in the default namespace.
All the resources mentioned above will be created by design at the time of cluster creation and their creation cannot be prevented. If you try to remove these resources manually, they will be recreated to ensure desired goal state by the kube-controller-manager
.
此外:
The Kubernetes clusters should not use the default namespace Policy is still in Preview. Currently the schema does not explicitly allow for Kubernetes resources in the default namespace to be excluded during policy evaluation. However, at the time of writing, the schema allows for labelSelector.matchExpressions[].operator
which can be set to NotIn
with appropriate labelSelector.matchExpressions[].values
for the Service default/kubernetes with label:
component=apiserver
The default ServiceAccount
, the default ServiceAccount token Secret
and the RootCA ConfigMap
themselves are not created with any labels and hence cannot to added to this list. If this is impeding your use-case I would urge you to share your feedback at https://techcommunity.microsoft.com/t5/azure/ct-p/Azure
我正在尝试在 Azure AKS 中创建一个 K8s 集群,当集群准备就绪时,我可以看到在 default
命名空间中创建了几个资源。秘密示例,configmap:
作为安全建议,不应在 default
命名空间下创建 k8s 资源,那么如何避免呢?它是在创建集群时默认创建的。
我发现了同样的问题 here:
用户srbose-msft(微软员工)把运行原理解释的很好:
In Kubernetes, a
ServiceAccount controller
manages the ServiceAccounts inside namespaces, and ensures a ServiceAccount named "default" exists in every active namespace. [Reference]TokenController runs as part of
kube-controller-manager
. It acts asynchronously. It watches ServiceAccount creation and creates a corresponding ServiceAccount token Secret to allow API access. [Reference] Thus, the secret for the default ServiceAccount token is also created.Trusting the custom CA from an application running as a pod usually requires some extra application configuration. You will need to add the CA certificate bundle to the list of CA certificates that the TLS client or server trusts. For example, you would do this with a golang TLS config by parsing the certificate chain and adding the parsed certificates to the
RootCAs
field in thetls.Config
struct.You can distribute the CA certificate as a ConfigMap that your pods have access to use. [Reference] AKS implements this in all active namespaces through ConfigMaps named
kube-root-ca.crt
in these namespaces.You shall also find a Service named
kubernetes
in the default namespace. It has a ServiceType of ClusterIP and exposes the API Server Endpoint also namedkubernetes
internally to the cluster in the default namespace.All the resources mentioned above will be created by design at the time of cluster creation and their creation cannot be prevented. If you try to remove these resources manually, they will be recreated to ensure desired goal state by the
kube-controller-manager
.
此外:
The Kubernetes clusters should not use the default namespace Policy is still in Preview. Currently the schema does not explicitly allow for Kubernetes resources in the default namespace to be excluded during policy evaluation. However, at the time of writing, the schema allows for
labelSelector.matchExpressions[].operator
which can be set toNotIn
with appropriatelabelSelector.matchExpressions[].values
for the Service default/kubernetes with label:
component=apiserver
The default
ServiceAccount
, the defaultServiceAccount token Secret
and theRootCA ConfigMap
themselves are not created with any labels and hence cannot to added to this list. If this is impeding your use-case I would urge you to share your feedback at https://techcommunity.microsoft.com/t5/azure/ct-p/Azure