11.8. 관리형 서비스 계정(기술 프리뷰)

11.8.1. 개요

이 문서는 Kubernetes Operator용 다중 클러스터 엔진의 ManagedServiceAccount 리소스에 대한 것입니다. ManagedServiceAccount 리소스에는 생성, 쿼리, 삭제, 업데이트 등 네 가지 요청이 있습니다.

11.8.1.1. URI 스키마

BasePath : /kubernetes/apis
Schemes : HTTPS

11.8.1.2. 태그

  • Managed serviceaccounts.multicluster.openshift.io': ManagedServiceAccounts생성 및 관리

11.8.2. 경로

11.8.2.1. Create a ManagedServiceAccount

POST /apis/multicluster.openshift.io/v1alpha1/ManagedServiceAccounts
11.8.2.1.1. 설명

ManagedServiceAccount 를 생성합니다.

11.8.2.1.2. 매개 변수
유형이름설명스키마

header

COOKIE
필요

권한 부여: 베어러 {ACCESS_TOKEN} ; ACCESS_TOKEN은 사용자 액세스 토큰입니다.

string

body

본문
필요

생성할 ManagedServiceAccount를 설명하는 매개변수입니다.

ManagedServiceAccount

11.8.2.1.3. 응답
HTTP 코드설명스키마

200

성공

콘텐츠 없음

403

액세스 금지

콘텐츠 없음

404

리소스를 찾을 수 없음

콘텐츠 없음

500

내부 서비스 오류

콘텐츠 없음

503

서비스를 사용할 수 없음

콘텐츠 없음

11.8.2.1.4. Use
  • managedserviceaccount/yaml
11.8.2.1.5. 태그
  • managedserviceaccount.multicluster.openshift.io
11.8.2.1.5.1. 요청 본문
{
  "apiVersion": "apiextensions.k8s.io/v1",
  "kind": "CustomResourceDefinition",
  "metadata": {
    "annotations": {
      "controller-gen.kubebuilder.io/version": "v0.4.1"
    },
    "creationTimestamp": null,
    "name": "managedserviceaccount.authentication.open-cluster-management.io"
  },
  "spec": {
    "group": "authentication.open-cluster-management.io",
    "names": {
      "kind": "ManagedServiceAccount",
      "listKind": "ManagedServiceAccountList",
      "plural": "managedserviceaccounts",
      "singular": "managedserviceaccount"
    },
    "scope": "Namespaced",
    "versions": [
      {
        "name": "v1alpha1",
        "schema": {
          "openAPIV3Schema": {
            "description": "ManagedServiceAccount is the Schema for the managedserviceaccounts\nAPI",
            "properties": {
              "apiVersion": {
                "description": "APIVersion defines the versioned schema of this representation\nof an object. Servers should convert recognized schemas to the latest\ninternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
                "type": "string"
              },
              "kind": {
                "description": "Kind is a string value representing the REST resource this\nobject represents. Servers may infer this from the endpoint the client\nsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
                "type": "string"
              },
              "metadata": {
                "type": "object"
              },
              "spec": {
                "description": "ManagedServiceAccountSpec defines the desired state of ManagedServiceAccount",
                "properties": {
                  "rotation": {
                    "description": "Rotation is the policy for rotation the credentials.",
                    "properties": {
                      "enabled": {
                        "default": true,
                        "description": "Enabled prescribes whether the ServiceAccount token\nwill be rotated from the upstream",
                        "type": "boolean"
                      },
                      "validity": {
                        "default": "8640h0m0s",
                        "description": "Validity is the duration for which the signed ServiceAccount\ntoken is valid.",
                        "type": "string"
                      }
                    },
                    "type": "object"
                  },
                  "ttlSecondsAfterCreation": {
                    "description": "ttlSecondsAfterCreation limits the lifetime of a ManagedServiceAccount.\nIf the ttlSecondsAfterCreation field is set, the ManagedServiceAccount\nwill be automatically deleted regardless of the ManagedServiceAccount's\nstatus. When the ManagedServiceAccount is deleted, its lifecycle\nguarantees (e.g. finalizers) will be honored. If this field is unset,\nthe ManagedServiceAccount won't be automatically deleted. If this\nfield is set to zero, the ManagedServiceAccount becomes eligible\nfor deletion immediately after its creation. In order to use ttlSecondsAfterCreation,\nthe EphemeralIdentity feature gate must be enabled.",
                    "exclusiveMinimum": true,
                    "format": "int32",
                    "minimum": 0,
                    "type": "integer"
                  }
                },
                "required": [
                  "rotation"
                ],
                "type": "object"
              },
              "status": {
                "description": "ManagedServiceAccountStatus defines the observed state of\nManagedServiceAccount",
                "properties": {
                  "conditions": {
                    "description": "Conditions is the condition list.",
                    "items": {
                      "description": "Condition contains details for one aspect of the current\nstate of this API Resource. --- This struct is intended for direct\nuse as an array at the field path .status.conditions.  For example,\ntype FooStatus struct{     // Represents the observations of a\nfoo's current state.     // Known .status.conditions.type are:\n\"Available\", \"Progressing\", and \"Degraded\"     // +patchMergeKey=type\n    // +patchStrategy=merge     // +listType=map     // +listMapKey=type\n    Conditions []metav1.Condition `json:\"conditions,omitempty\"\npatchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n     // other fields }",
                      "properties": {
                        "lastTransitionTime": {
                          "description": "lastTransitionTime is the last time the condition\ntransitioned from one status to another. This should be when\nthe underlying condition changed.  If that is not known, then\nusing the time when the API field changed is acceptable.",
                          "format": "date-time",
                          "type": "string"
                        },
                        "message": {
                          "description": "message is a human readable message indicating\ndetails about the transition. This may be an empty string.",
                          "maxLength": 32768,
                          "type": "string"
                        },
                        "observedGeneration": {
                          "description": "observedGeneration represents the .metadata.generation\nthat the condition was set based upon. For instance, if .metadata.generation\nis currently 12, but the .status.conditions[x].observedGeneration\nis 9, the condition is out of date with respect to the current\nstate of the instance.",
                          "format": "int64",
                          "minimum": 0,
                          "type": "integer"
                        },
                        "reason": {
                          "description": "reason contains a programmatic identifier indicating\nthe reason for the condition's last transition. Producers\nof specific condition types may define expected values and\nmeanings for this field, and whether the values are considered\na guaranteed API. The value should be a CamelCase string.\nThis field may not be empty.",
                          "maxLength": 1024,
                          "minLength": 1,
                          "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$",
                          "type": "string"
                        },
                        "status": {
                          "description": "status of the condition, one of True, False, Unknown.",
                          "enum": [
                            "True",
                            "False",
                            "Unknown"
                          ],
                          "type": "string"
                        },
                        "type": {
                          "description": "type of condition in CamelCase or in foo.example.com/CamelCase.\n--- Many .condition.type values are consistent across resources\nlike Available, but because arbitrary conditions can be useful\n(see .node.status.conditions), the ability to deconflict is\nimportant. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)",
                          "maxLength": 316,
                          "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$",
                          "type": "string"
                        }
                      },
                      "required": [
                        "lastTransitionTime",
                        "message",
                        "reason",
                        "status",
                        "type"
                      ],
                      "type": "object"
                    },
                    "type": "array"
                  },
                  "expirationTimestamp": {
                    "description": "ExpirationTimestamp is the time when the token will expire.",
                    "format": "date-time",
                    "type": "string"
                  },
                  "tokenSecretRef": {
                    "description": "TokenSecretRef is a reference to the corresponding ServiceAccount's\nSecret, which stores the CA certficate and token from the managed\ncluster.",
                    "properties": {
                      "lastRefreshTimestamp": {
                        "description": "LastRefreshTimestamp is the timestamp indicating\nwhen the token in the Secret is refreshed.",
                        "format": "date-time",
                        "type": "string"
                      },
                      "name": {
                        "description": "Name is the name of the referenced secret.",
                        "type": "string"
                      }
                    },
                    "required": [
                      "lastRefreshTimestamp",
                      "name"
                    ],
                    "type": "object"
                  }
                },
                "type": "object"
              }
            },
            "type": "object"
          }
        },
        "served": true,
        "storage": true,
        "subresources": {
          "status": {}
        }
      }
    ]
  },
  "status": {
    "acceptedNames": {
      "kind": "",
      "plural": ""
    },
    "conditions": [],
    "storedVersions": []
  }
}

11.8.2.2. 하나의 ManagedServiceAccount 쿼리

GET /cluster.open-cluster-management.io/v1alpha1/namespaces/{namespace}/managedserviceaccounts/{managedserviceaccount_name}
11.8.2.2.1. 설명

자세한 내용은 하나의 ManagedServiceAccount 를 쿼리합니다.

11.8.2.2.2. 매개 변수
유형이름설명스키마

header

COOKIE
필요

권한 부여: 베어러 {ACCESS_TOKEN} ; ACCESS_TOKEN은 사용자 액세스 토큰입니다.

string

경로

managedserviceaccount_name
required

쿼리할 ManagedServiceAccount 의 이름입니다.

string

11.8.2.2.3. 응답
HTTP 코드설명스키마

200

성공

콘텐츠 없음

403

액세스 금지

콘텐츠 없음

404

리소스를 찾을 수 없음

콘텐츠 없음

500

내부 서비스 오류

콘텐츠 없음

503

서비스를 사용할 수 없음

콘텐츠 없음

11.8.2.2.4. 태그
  • cluster.open-cluster-management.io

11.8.2.3. ManagedServiceAccount삭제

DELETE /cluster.open-cluster-management.io/v1alpha1/namespaces/{namespace}/managedserviceaccounts/{managedserviceaccount_name}
11.8.2.3.1. 설명

하나의 ManagedServiceAccount 를 삭제합니다.

11.8.2.3.2. 매개 변수
유형이름설명스키마

header

COOKIE
필요

권한 부여: 베어러 {ACCESS_TOKEN} ; ACCESS_TOKEN은 사용자 액세스 토큰입니다.

string

경로

managedserviceaccount_name
required

삭제할 ManagedServiceAccount 의 이름입니다.

string

11.8.2.3.3. 응답
HTTP 코드설명스키마

200

성공

콘텐츠 없음

403

액세스 금지

콘텐츠 없음

404

리소스를 찾을 수 없음

콘텐츠 없음

500

내부 서비스 오류

콘텐츠 없음

503

서비스를 사용할 수 없음

콘텐츠 없음

11.8.2.3.4. 태그
  • cluster.open-cluster-management.io

11.8.3. 정의

11.8.3.1. ManagedServiceAccount

이름설명스키마

apiVersion
필요

ManagedServiceAccount 의 버전이 지정된 스키마입니다.

string

kind
필수

REST 리소스를 나타내는 문자열 값입니다.

string

메타데이터
필요

ManagedServiceAccount 의 메타 데이터입니다.

object

spec
필수

ManagedServiceAccount 사양입니다.