Pages

Friday, November 16, 2018

Kubernetes - Service Accounts

Kubernetes has normal users connecting to the cluster. These user accounts are sent to the API server when we ran kubectl command. Now how does processes inside a pod will talk to API server?. This is done by using the service accounts. Different types of service accounts will be created by kubernetes cluster to perform different actions. A default service account will be created in every namespace. Lets see how we can create a service account and how things work. 

To list all service account for all namespaces we can use, 
[root@ip-172-31-12-239 .kube]# kubectl get serviceaccounts --all-namespaces  

To list only default account available using, 
[root@ip-172-31-12-239 .kube]# kubectl get serviceaccounts --all-namespaces  
| grep default 
default              default                              1 34m 
kube-public       default                              1 34m 
kube-system     default                              1 34m 

The first one is the namespace and second one is the service account name. 

Now lets create a namespace,
[root@ip-172-31-12-239 ~]# kubectl create namespace project1
namespace/project1 created 

[root@ip-172-31-12-239 ~]# kubectl get ns 
NAME              STATUS AGE 
default            Active   36m 
kube-public     Active   36m 
kube-systeem  Active   36m 
project1          Active   3s

Lets list the service accounts in the namespace project1 
[root@ip-172-31-12-239 ~]# kubectl get serviceaccounts --namespace=project1 
NAME      SECRETS AGE 
default     1            27s 

By default kubernetes cluster creates a default service account for every namespace we create. Similarly as above , the default service account is created when the namespace project1 is created. 
[root@ip-172-31-12-239 ~]# kubectl describe serviceaccount default --namespace=project1 
Name:                      default 
Namespace:               project1 
Labels:                      
Annotations:              
Image pull secrets:     
Mountable secrets:     default-token-72sz4 
Tokens:                    default-token-72sz4 
Events:                     

We see that the service account includes a mountable secrets as a token. Describe the secret using, 
[root@ip-172-31-12-239 ~]# kubectl describe secret default-token-72sz4 --namespace=project1 
Name:         default-token-72sz4 
Namespace:    project1 
Labels:        
Annotations:  kubernetes.io/service-account.name: default 
             kubernetes.io/service-account.uid: 308239fd-e7e8-11e8-b7ad-028521ef21bc 

Type:  kubernetes.io/service-account-token 

Data 
==== 
ca.crt:     1025 bytes 
namespace:  8 bytes 
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJwcm9qZWN0MSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZWZhdWx0LXRva2VuLTcyc3o0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImRlZmF1bHQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIzMDgyMzlmZC1lN2U4LTExZTgtYjdhZC0wMjg1MjFlZjIxYmMiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6cHJvamVjdDE6ZGVmYXVsdCJ9.JrIXYFuA2uws7DXOd2r4lunjL8XI_uoO00IZcY9TbaZT_0G2GqNAcXl0GDYwTr-J9KTu01_h5cO8Xw12Rvu5Fq7Jft1iibA-kK9Oeq2kiSsi41IPP8JXZh6ypP41Io-QQFCDcrMn4KhokbLLio2xc1ck6GjazrzAdyw7ArmDfb2wWO7biZC_QwVcGwtyjwY2sWc5m30V4uDtMfpvNP3jufCLapVbqfFVDpUiE__cC0ZE4L-F_Wfd_7HCvbinqFg6FWw4ZmMmwAwbhwuY4dQ9NiPWILCxrlfYONgky5AMS9V3d-aEeiula2ClZ44g0yi1XZ2VbBWHtWLowJ32vHwcgQ 

The service account will be automatically mounted to the pods directory /var/run/secrets/kubernetes.io/serviceaccount. When pod accesses the APi Server, the API server will check the cert and token to do the authentication. So all process running inside the pod will be authenticated to the API server using this same service account if none specified.

No comments :

Post a Comment