Security accounts in Kubernetes

Accounts in K8s
  • User account:
    - Used by humans.
    - Admin role: to perform admin tasks.
    - Developer role: to access the cluster and deploy apps.
  • Security account:
    - For automated tasks, by machines.
    - A monitoring app like Prometheus uses service account to poll k8 metrics or logs to come up with performance metrics.
    - An automated build tool like Jenkins uses service account to deploy app on the cluster.

On creation of service account a token is created automatically:
- Command to view the token (See Tokens section):

The above token can be used by the external apps for authentication of kube-api as a bearer token.

Token is stored as a secret object.

Command to view the secret object:

We can get the secret name from ‘Tokens’ section of service account

Steps to create a service account:

  • Create a service account.
  • Assign role based permissions/access control mechanisms.
  • Export the token.
  • Use it in external app while making kube api requests.
  • If the external app itself is hosted in Kubernetes cluster, the exporting can be made simpler by mounting the secret as a volume to the application.

To view the secret files in the pod (which has secret mounted as volume):

  • Command to get into the pod: kubectl exec -it <pod-name>.
  • ls /var/run/secrets/kubernetes.io/serviceaccount, we will find ca.crt, namespace, token files.
  • cat /var/run/secrets/kubernetes.io/serviceaccount/token, we will be able to see the token content.

Default service accounts are mounted automatically to every pods, which has limited permissions.

To assign a service account: spec/serviceAccountName: <service a/c name>

To prevent kubernetes from automatically mounting default service account, set spec/automountServiceAccountToken: false

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Hitesh Pattanayak

Hitesh Pattanayak

Senior Consultant @ Thoughtworks | 6.5 years of experience | Polyglot | Backend Developer | Kubernetes and AWS practitioner | Finance Enthusiast