Service Accounts
Account Types
USER
- Admin
- Developer
SERVICE
- Prometheus
- ArgoCD
- CI Tools
Create Service Accounts
Cannot Edit service account of existing pod, must delete and recreate pod
Imperative
kubectl create serviceaccount dashboard-sa
serviceaccount/dashboard-sa created
kubectl get serviceaccount
NAME SECRETS AGE
dashboard-sa 0 23s
default 0 8d
kubectl describe serviceaccount dashboard-sa
Name: dashboard-sa
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: <none>
Tokens: <none>
Events: <none>
Declarative
COMING SOON
Use SA
Add to Pod
1
2apiVersion:
3kind: Pod
4metadata:
5 name: simple-webapp-color
6spec:
7 serviceAccountName: dashboard-sa #HERE
8 containers:
9 - name: simple-webapp-color
10 image: simple-webapp-color
11 ports:
12 - containerPort: 8080
13 envFrom:
14 - configMapRef:
15 name: app-config
Token Request API
1kubectl get pod kubectl describe pod dashboard-7984475dd-skhvr -o yaml
1apiVersion: v1
2items:
3- apiVersion: v1
4 kind: Pod
5 metadata:
6 creationTimestamp: "2022-10-31T03:17:32Z"
7 generateName: dashboard-7984475dd-
8 labels:
9 app: dashboard
10 pod-template-hash: 7984475dd
11 name: dashboard-7984475dd-skhvr
12 namespace: default
13 ownerReferences:
14 - apiVersion: apps/v1
15 blockOwnerDeletion: true
16 controller: true
17 kind: ReplicaSet
18 name: dashboard-7984475dd
19 uid: 8ab1b705-629d-4ac5-b7c2-029461cbaa43
20 resourceVersion: "466880"
21 uid: a01d0934-b00e-4bff-8634-8708afa9efe1
22 spec:
23 containers:
24 - image: lscr.io/linuxserver/heimdall
25 imagePullPolicy: Always
26 name: dashboard
27 volumeMounts:
28 - mountPath: /config
29 name: dashboard
30 - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
31 name: kube-api-access-rds9d
32 readOnly: true
33
34 volumes:
35 - name: dashboard
36 persistentVolumeClaim:
37 claimName: heimdall-claim
38 - name: kube-api-access-rds9d
39 projected:
40 defaultMode: 420
41 sources:
42 - serviceAccountToken:
43 expirationSeconds: 3607
44 path: token
45 - configMap:
46 items:
47 - key: ca.crt
48 path: ca.crt
49 name: kube-root-ca.crt
50 - downwardAPI:
51 items:
52 - fieldRef:
53 apiVersion: v1
54 fieldPath: metadata.namespace
55 path: namespace
56
57kind: List
58metadata:
59 resourceVersion: ""
Create SA Token
Imperative
1kubectl create token dashboard-sa
1eyJhbGciOiJSUzI1NiIsImtpZCI6InBwcnFxSFJEaUFYUXhHeG1FMmJkX0hNU0VuT21hR3hNT0d5S09kbzI3NmcifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiLCJrM3MiXSwiZXhwIjoxNjY3NzczNDExLCJpYXQiOjE2Njc3Njk4MTEsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0Iiwic2VydmljZWFjY291bnQiOnsibmFtZSI6ImRhc2hib2FyZC1zYSIsInVpZCI6ImM4ZDdlM2UyLTA3OTUtNGZhYy05MDVlLTc3ZTQ1NGNjNWM2ZiJ9fSwibmJmIjoxNjY3NzY5ODExLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkYXNoYm9hcmQtc2EifQ.VbxzizE_rETXs96Q9Edvhe8Nx_LGwELQHQVbDmok1UAQb_r94wnZtY-cIC9Zw-lieX1QqKpo33Huty0-goC06KJWrBcpBGWJ1VR76MCfBaoCSv24Bv3pvvJ9bMqH9vKCDH_ikfR6vRV28qlUuuZtvuKZKM0f2FXUajo4vaWliidesaq1Jcd94BiDk3tGjah7NrYqKztR-9voY0igZWjxBmIk3XCdiXZDv8ChDc4SHItk3GvSsaUs6dIcWzHohRODKB1FZ2eXZkn1a-Tw_CSmhFfOiTnsuTwaYBpwb8yACuM-b0CqPJ-QUoMHsCDreg8oFzfYYT2AiyoVWxeSPQEDEA
SA Secret Token Object
1apiVersion: v1
2kind: Secret
3type: kubernetes.io/service-account-token
4metadata:
5 name: dashboard-sa-token
6 annotations:
7 kubernetes.io/service-account.name: "dashboard-sa"
SA Token Payload Default
1{
2 "aud": [
3 "https://kubernetes.default.svc.cluster.local",
4 "k3s"
5 ],
6 "exp": 1667773411,
7 "iat": 1667769811,
8 "iss": "https://kubernetes.default.svc.cluster.local",
9 "kubernetes.io": {
10 "namespace": "default",
11 "serviceaccount": {
12 "name": "dashboard-sa",
13 "uid": "c8d7e3e2-0795-4fac-905e-77e454cc5c6f"
14 }
15 },
16 "nbf": 1667769811,
17 "sub": "system:serviceaccount:default:dashboard-sa"
18}
Debug
pod_definition.yml
1apiVersion: v1
2kind: Pod
3metadata:
4 name: k8s-dashboard
5spec:
6 containers:
7 - name: my-k8s-dash
8 image: my-k8s-dash
Get SAs
kubectl get sa
1NAME SECRETS AGE
2dashboard-sa 0 10m
3default 0 8d
describe SA
kubectl describe pod dashboard-7984475dd-skhvr
1Name: dashboard-7984475dd-skhvr
2Namespace: default
3Priority: 0
4Service Account: default
5Node: k3s-server-1/10.10.1.11
6Start Time: Sun, 30 Oct 2022 20:17:32 -0700
7Labels: app=dashboard
8 pod-template-hash=7984475dd
9Annotations: <none>
10Status: Running
11Containers:
12 dashboard:
13 Image: lscr.io/linuxserver/heimdall
14 Environment: <none>
15 Mounts:
16 /config from dashboard (rw)
17 /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-rds9d (ro) #HERE
18Volumes:
19 dashboard:
20 Type: PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace)
21 ClaimName: heimdall-claim
22 ReadOnly: false
23 kube-api-access-rds9d:
24 Type: Projected (a volume that contains injected data from multiple sources)
25 TokenExpirationSeconds: 3607
26 ConfigMapName: kube-root-ca.crt
27 ConfigMapOptional: <nil>
28 DownwardAPI: true
View Mount Contents
1kubectl exec -it dashboard-7984475dd-skhvr ls /var/run/secrets/kubernetes.io/serviceaccount
2
3> car.crt namespace token