DIVYA SINGHAL:
kubectl create serviceaccount pvviewer
kubectl create clusterrole pvviewer-role --resource=persistentvolumes --verb=list
kubectl create clusterrolebinding pvviewer-role-binding --clusterrole=pvviewer-role --
serviceaccount=default:pvviewer
apiVersion: v1
kind: Pod
metadata:
name: pvviewer
spec:
containers:
- image: redis
name: pvviewer
serviceAccountName: pvviewer
kubectl create -f pvviewer.yaml
Alistair Mackay:
The way to prove it beyond all doubt is to issue a curl command from the pod using the token that retrieves persistent volumes.
The default SA has no permission to do anything
Alistair Mackay:
Without me setting up a complete test, I think the curl command (to run from inside the container) will be
curl -k -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" <https://kubernetes.default.svc/api/v1/persistentvolumes>
And provided there is at least one persistent volume existing, you should see it in the results.
The default SA will get access denied.
DIVYA SINGHAL:
Ok Thanks a lot i ll try it
Alistair Mackay:
https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/
Search in page for list or watch objects of kind PersistentVolume
mjv:
token under /var/run/secrets/kubernetes.io/serviceaccount is JWT token(https://jwt.io/) so you can use
$ k exec -it nginx -- bash
root@nginx:/# cat /var/run/secrets//kubernetes.io/serviceaccount/token | awk -F"." '{print $2}' | base64 -d
{"aud":["<https://kubernetes.default.svc.cluster.local>"],"exp":1703156498,"iat":1671620498,"iss":"<https://kubernetes.default.svc.cluster.local>","<http://kubernetes.io|kubernetes.io>":{"namespace":"cka","pod":{"name":"nginx","uid":"f816aef9-b0ee-495f-a5c5-d15d0a0c17ac"},"serviceaccount":{"name":"default","uid":"f226b9da-32d0-4936-a413-be36f98614bf"},"warnafter":1671624105},"nbf":1671620498,"sub":"system:serviceaccount:cka:default"}base64: invalid input
DIVYA SINGHAL:
it worked. Thanks a lot