Service Accounts in Kubernetes allow you to authenticate and authorize applications and services running within a cluster. They provide a way to grant specific permissions and access control to pods and containers.
In this practical, we will cover the following steps:
- Creating a Service Account
- Creating a token for the Service Account
- Creating a Role to define permissions
- Creating a RoleBinding to associate the Role with the Service Account
- Using the Service Account in a Pod
- Verifying access permissions
To create a Service Account, use the following commands:
kubectl create sa mysa
To create a token for the Service Account "mysa" :
kubectl create token mysa
To define permissions for the Service Account, we need to create a Role. Use the following YAML file:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups:
- ''
resources:
- pods
verbs:
- get
- watch
- list
To associate the Role with the Service Account, create a RoleBinding. Use the following YAML file:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
- kind: ServiceAccount
name: mysa
namespace: default
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
To use the Service Account in a Pod, update the Pod definition with the appropriate serviceAccountName. Use the following YAML file:
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
serviceAccountName: mysa
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
To verify the access permissions of the Service Account, use the following command:
kubectl auth can-i get pods --as=system:serviceaccount:default:mysa
- The command checks if the Service Account "mysa" has permission to get pods.
- The output will indicate whether the access is allowed or denied.
Congratulations! You have successfully created and configured a Service Account in Kubernetes. You learned how to create a Service Account, associate it with a Role, and use it in a Pod. You also verified the access permissions of the Service Account. Feel free to explore further and customize the roles and permissions based on your specific requirements.