I am trying to add a service account to the pod but I cannot see it being mounte . . .

kodekloud · February 11, 2023, 1:29pm

DIVYA SINGHAL:
I am trying to add a service account to the pod but I cannot see it being mounted to the pod with the kubectl describe pod.
i can see the default secret only mounted:

ounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-x2rs4 (ro)
Conditions:
  Type              Status
  Initialized       True 
  Ready             True 
  ContainersReady   True 
  PodScheduled      True 
Volumes:
  kube-api-access-x2rs4:
    Type:                    Projected (a volume that contains injected data from multiple sources)

can someone help with what i may be doing wrong here?

kodekloud · February 11, 2023, 1:29pm

Alistair Mackay:
Please post the YAML used to create the pod

kodekloud · February 11, 2023, 1:29pm

DIVYA SINGHAL:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: nginx
  name: pvviewer
spec:
  serviceAccountName: pvviewer
  containers:
  - image: nginx
    name: nginx
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

kodekloud · February 11, 2023, 1:29pm

Alistair Mackay:
Ok, looks fine

/var/run/secrets/kubernetes.io/serviceaccount

This is a directory what has been auto-mounted in the pod for the given service account pvviewer
This directory will contain a file called token which is a bearer token for access to the API server.
You will be able to perform whatever operations have been granted to the pvviewer SA by any role bound to it.

kodekloud · February 11, 2023, 1:29pm

DIVYA SINGHAL:
how can i check if sa has been mounted correctly?

kodekloud · February 11, 2023, 1:29pm

DIVYA SINGHAL:
i steps i performed for solving this questions are

kodekloud · February 11, 2023, 1:29pm

Alistair Mackay:
I think the pod would fail to create if the service account did not exist

kodekloud · February 11, 2023, 1:29pm

DIVYA SINGHAL:
k create sa

Name:                pvviewer
Namespace:           default
Labels:              &lt;none&gt;
Annotations:         &lt;none&gt;
Image pull secrets:  &lt;none&gt;
Mountable secrets:   &lt;none&gt;
Tokens:              &lt;none&gt;
Events:              &lt;none&gt;

kodekloud · February 11, 2023, 1:29pm

DIVYA SINGHAL:
i cannot see any token mounted on it after i cretaed the sa

kodekloud · February 11, 2023, 1:29pm

Alistair Mackay:

kubectl exec nginx -it -- /bin/sh

This gets you into the pod, then

ls -l /var/run/secrets/kubernetes.io/serviceaccount

and you should see a file called token

kodekloud · February 11, 2023, 1:29pm

DIVYA SINGHAL:
yes i can see that

kodekloud · February 11, 2023, 1:29pm

Alistair Mackay:
Then the SA token is mounted

kodekloud · February 11, 2023, 1:29pm

DIVYA SINGHAL:
but how can i be sure that this taken is from the sa i created and not the default sa

kodekloud · February 11, 2023, 1:29pm

Alistair Mackay:

spec:
  serviceAccountName: pvviewer

kodekloud · February 11, 2023, 1:29pm

DIVYA SINGHAL:
cant we see that in the k describe pod under volume mount?

kodekloud · February 11, 2023, 1:29pm

Alistair Mackay:
Because you have told it to use a specific SA.
It’s only not going to be that SA if there is a bug in kubernetes - and that would be a very serious bug!

kodekloud · February 11, 2023, 1:29pm

DIVYA SINGHAL:
the spec you shared its from the pod.yaml only right

kodekloud · February 11, 2023, 1:29pm

DIVYA SINGHAL:
umm yess i do not see the SA and i am working on one of the kodecloud lab only.

kodekloud · February 11, 2023, 1:29pm

DIVYA SINGHAL:
Not sure if there is a bug or something else in it.

kodekloud · February 11, 2023, 1:29pm

DIVYA SINGHAL:
the steps i followed for my activity: