[Kubernetes] Service Accounts

You can use specialized ServiceAccounts with restricted permissions to allow containers to access the Kubernetes API.

  • Every namespace has a default service account.
  • Each service account has a matching secret object, which has a token.
  • When a pod is created, a service account token is mounted automatically.
    • The pod is accessing Kubernetes APIs using the mounted service account token.

Service Accounts

You can create a new service account.

kubectl create serviceaccount <account-name>
 
kubectl get serviceaccounts
kubectl get sa
 
# get details and a token
kubectl describe sa <account-name>
kubectl describe sa default
 
# check the token
Kubectl describe secret <token-name>

And then you can associate it with a pod.

spec:
  serviceAccountName: <account-name>

Service Account Token in a Pod

  • When a pod is created, a service account token is mounted automatically.
    • The pod is accessing Kubernetes APIs using the mounted service account token.
kubectl describe pod <pod-name>

# get the volume  mount

kubectl exec -it <pod-name> ls <volume>

kubectl exec -it <pod-name> cat <volume/token>

UPDATE

  • Pending

Since v1.22, there have been many changes regarding how service accounts are configured.

https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

Published by Pyongwon Lee

IT (Cloud, Web) Development, Philosophy, Economics.

Leave a Comment

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s