You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/zh/docs/tasks/configure-pod-container/configure-service-account.md
+81-44Lines changed: 81 additions & 44 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -66,15 +66,14 @@ you can see the `spec.serviceAccountName` field has been
66
66
67
67
<!--
68
68
You can access the API from inside a pod using automatically mounted service account credentials,
69
-
as described in [Accessing the Cluster](/docs/user-guide/accessing-the-cluster/#accessing-the-api-from-a-pod).
69
+
as described in [Accessing the Cluster](/docs/tasks/accessing-application-cluster/access-cluster/).
70
70
The API permissions of the service account depend on the [authorization plugin and policy](/docs/reference/access-authn-authz/authorization/#authorization-modules) in use.
71
71
72
72
In version 1.6+, you can opt out of automounting API credentials for a service account by setting
73
73
`automountServiceAccountToken: false` on the service account:
Path to the file that contains the current private key of the service account token issuer. The
455
+
issuer signs issued ID tokens with this private key.
456
+
-->
434
457
* `--service-account-signing-key-file`
435
-
* `--api-audiences`(可以省略)
436
458
437
-
{{< /note >}}
459
+
指向包含当前服务账户令牌发放者的私钥的文件路径。
460
+
此发放者使用此私钥来签署所发放的 ID 令牌。
461
+
462
+
<!--
463
+
* `--api-audiences` (can be omitted)
464
+
The service account token authenticator validates that tokens used against the API are bound to
465
+
at least one of these audiences. If `api-audiences` is specified multiple times, tokens for any of
466
+
the specified audiences are considered valid by the Kubernetes API server. If the
467
+
`--service-account-issuer` flag is configured and this flag is not, this field defaults to a
468
+
single element list containing the issuer URL.
469
+
-->
470
+
* `--api-audiences` (can be omitted)
471
+
472
+
服务账号令牌身份检查组件会检查针对 API 访问所使用的令牌,
473
+
确认令牌至少是被绑定到这里所给的受众(audiences)之一。
474
+
如果此参数被多次指定,则针对所给的多个受众中任何目标的令牌都会被
475
+
Kubernetes API 服务器当做合法的令牌。如果 `--service-account-issuer`
476
+
参数被设置,而这个参数未指定,则这个参数的默认值为一个只有一个元素的列表,
477
+
且该元素为令牌发放者的 URL。
438
478
439
479
<!--
440
480
The kubelet can also project a service account token into a Pod. You can
@@ -443,9 +483,9 @@ duration. These properties are not configurable on the default service account
443
483
token. The service account token will also become invalid against the API when
444
484
the Pod or the ServiceAccount is deleted.
445
485
-->
446
-
kubelet 还可以将服务帐户令牌投影到 Pod 中。
447
-
你可以指定令牌的所需属性,例如受众和有效持续时间。
448
-
这些属性在默认服务帐户令牌上无法配置。
486
+
kubelet 还可以将服务帐户令牌投射到 Pod 中。
487
+
你可以指定令牌的期望属性,例如受众和有效期限。
488
+
这些属性在 default 服务帐户令牌上无法配置。
449
489
当删除 Pod 或 ServiceAccount 时,服务帐户令牌也将对 API 无效。
450
490
451
491
<!--
@@ -476,13 +516,14 @@ The kubelet proactively rotates the token if it is older than 80% of its total T
476
516
477
517
The application is responsible for reloading the token when it rotates. Periodic reloading (e.g. once every 5 minutes) is sufficient for most use cases.
478
518
-->
479
-
`kubelet` 组件会替 Pod 请求令牌并将其保存起来,通过将令牌存储到一个可配置的
480
-
路径使之在 Pod 内可用,并在令牌快要到期的时候刷新它。
481
-
`kubelet` 会在令牌存在期达到其 TTL 的 80% 的时候或者令牌生命期超过 24 小时
482
-
的时候主动轮换它。
519
+
`kubelet` 组件会替 Pod 请求令牌并将其保存起来,
520
+
通过将令牌存储到一个可配置的路径使之在 Pod 内可用,
521
+
并在令牌快要到期的时候刷新它。
522
+
`kubelet` 会在令牌存在期达到其 TTL 的 80% 的时候或者令牌生命期超过
523
+
24 小时的时候主动轮换它。
483
524
484
-
应用程序负责在令牌被轮换时重新加载其内容。对于大多数使用场景而言,周期性地
485
-
(例如,每隔 5 分钟)重新加载就足够了。
525
+
应用程序负责在令牌被轮换时重新加载其内容。对于大多数使用场景而言,
526
+
周期性地(例如,每隔 5 分钟)重新加载就足够了。
486
527
487
528
<!--
488
529
## Service Account Issuer Discovery
@@ -496,8 +537,8 @@ The Service Account Issuer Discovery feature is enabled when the Service Account
0 commit comments