Creating serviceaccount with user and password

Kubernetes
#1

Hi, Can anyone please answer the following

  1. Is it possible to create a serviceAccount based on user and password just like how a secret object can be created from user and password with --from-literal==. I mean not using --from-literal but with any other way

  2. If I have to create a serviceAccount to allow only reading (get) the resources but not allowed to write/modify any resource (e.g. cant create a Pod or modify a deployment etc), how it can be achieved. Does it require RBAC (i.e. role creation for SA to only have read option). Any example for this.

  3. When we create a serviceAccount and assign it to a Pod, how does the Pod gets authenticated by kubeapi server. How does kubeapi server know that a specific Serviceaccount is only applicable for a specific Pod only. Is there any configuration change required in kubeapi server for allowing authentication using serviceAccount

Similarly, when Pod1 communicates with Pod2, if pod1 uses serviceAccount for authentication, how does Pod2 authenticate the Pod1. Does it require any special configuration in Pod2 and how does Pod2 know that Pod1 has to be authenticated by means of serviceAccount only and how does Pod2 know that a “specific” serviceAccount is to be used by Pod1.

@mmumshad @mumshadgmail Could you help to answer this. Thanks.

#2

Hi, Can anyone please answer and clarify my doubts regarding serviceaccounts. Thanks.

#3

Hi @debu3645

No, secret and serviceaccount are different, serviceaccount is used for no human authentication like when pod needs to do some request on k8s API and secret is used to store sensitive information like token, password, and username. For kubernetes 1.24+ after create serviceaccount you need to explicitaly create a secret to store the token.

kubectl create sa foosa
kubectl get sa foosa

image

image

You need now to create a secret type kubernetes.io/service-account-token and assign it to the serviceaccount

apiVersion: v1
kind: Secret
metadata:
  name: foo-sa-secret
  annotations:
    kubernetes.io/service-account.name: foosa
type: kubernetes.io/service-account-token

Secret create automatically a token

image
image959Ă—458 106 KB

Create a pod and assign him serviceaccount foosa

image
image962Ă—570 67.5 KB

The serviceaccount is mounted in the pod

image
image781Ă—169 24.1 KB

For this case :

  • you need to create a role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: null
  name: foo
rules:
 - apiGroups: [""]
   resources: ["pods"]
   verbs: ["create","get","list"]
 - apiGroups: ["apps"]
   resources: ["deployments"]
   verbs: ["update"]
  • Bind the role to the serviceaccount
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: null
  name: foobinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: foo
subjects:
- kind: ServiceAccount
  name: foosa
  namespace: default

No need to do anything on APIs side, on each request the pod sends the token for authentication and the APIs can verify if the token is valid and if we apply RBAC policy on it
To test your serviceaccount :

  • connect on your pod
kubectl exec -it nginx -- /bin/bash
  • create env variable token and give him the token
 TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
  • Do some request from the api
curl -sSk --request GET -H "Authorization: Bearer $TOKEN" --url https://kubernetes.default:443/apis/apps/v1/namespaces/default/deployments/worker-app-deploy

image
image1910Ă—328 40.7 KB 

curl -sSk --request GET -H "Authorization: Bearer $TOKEN" --url https://kubernetes.default:443/api/v1/namespaces/default/pods/nginx

Capture d’écran du 2023-08-13 17-54-14
Capture d’écran du 2023-08-13 17-54-141512×925 88.9 KB

You can use the following link to learn more on service account

Regard

#4

Thank you so much for the detailed explanation @mmkmou
Really appreciate it.

Thanks.
Debashish

1 Like