Pods can access the Kubernetes API
Special service called kubernetes
present in default
namespace
Pods get environment variables to find API endpoint
Pods automatically mounts service account token
By default, service account default
is used
Service account default
does not have any (Cluster)Role
No need to access Kubernetes API?
Disable token mounting in Pod
:
```yaml [2,7] apiVersion: v1 kind: Pod metadata: name: foo spec: serviceAccountName: foo automountServiceAccountToken: false #…
### DEMO [<i class="fa fa-comment-code"></i>](https://github.com/nicholasdille/container-slides/blob/master/120_kubernetes/rbac/service_account.demo "service_account.demo")
---
## Prevent token mounting 2/2
Don't want a service account to be mounted?
```yaml [2,5]
apiVersion: v1
kind: ServiceAccount
metadata:
name: foo
automountServiceAccountToken: false
Can be overridden in the pod spec:
```yaml [2,6] apiVersion: v1 kind: Pod metadata: name: foo spec: serviceAccountName: foo automountServiceAccountToken: true
### DEMO [<i class="fa fa-comment-code"></i>](https://github.com/nicholasdille/container-slides/blob/master/120_kubernetes/rbac/service_account.demo "service_account.demo")
---
## Accessing the Kubernetes API<br/>from pods
Some services require specific permissions
Use RBAC to provide only required permissions
Access Kubernetes API using environment variables:
```bash
$ printenv | grep KUBERNETES_ | sort
#...
KUBERNETES_SERVICE_HOST=10.96.0.1
KUBERNETES_SERVICE_PORT=443
KUBERNETES_SERVICE_PORT_HTTPS=443
Service accounts are created without corresponding Secret
Introduced in Kubernetes 1.24
Automounted service accounts always get a temporary token
Create special secret to obtain long-lived token:
```bash [1-2,4,7-9] kubectl create sa foo cat «EOF | kubectl apply -f - apiVersion: v1 kind: Secret metadata: name: foo-token annotations: kubernetes.io/service-account.name: foo type: kubernetes.io/service-account-token EOF
### Demo [<i class="fa fa-comment-code"></i>](https://github.com/nicholasdille/container-slides/blob/master/120_kubernetes/rbac/service_account.demo "service_account.demo")
---
## Deleting a service account
![](120_kubernetes/rbac/recovery.drawio.svg) <!-- .element: style="float: right; width: 15%;" -->
Access to Kubernetes API stops working immediately
Credentials remain accessible by pod
### Recovery is not easy
Not enough to create a new service account with the same name
Issued token does not work for new service account
Restart of pod is required
---
## Short-lived tokens
Avoid long-lived tokens
Create short-lived tokens on-demand [](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#manually-create-an-api-token-for-a-serviceaccount)
```bash
kubectl create token <sa>
Specify lifetime of token:
kubectl create token <sa> --duration 1h
Bind lifetime of token to another resource:
kubectl create token <sa> \
--bound-object-kind <kind> \
--bound-object-name <name>
Usually added to pods description
Add image pull secret(s) to service account :
apiVersion: v1
kind: ServiceAccount
metadata:
name: foo
imagePullSecrets:
- name: my_reg_secret_name
Mount service account to a pod and check:
kubectl get pod bar -o=jsonpath='{.spec.imagePullSecrets[0].name}{"\n"}'
Works regardless of automountServiceAccountToken
apiVersion: v1
kind: Pod
metadata:
name: foo
spec:
containers:
- name: foo
image: nginx
env:
- name: MY_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
Use field references in environment variables
Also supports resourceFieldRef
to access resource requests and limits
apiVersion: v1
kind: Pod
metadata:
name: bar
labels:
app: demo
components: frontend
version: "1"
spec:
containers:
- volumeMounts:
- name: podinfo
mountPath: /etc/podinfo
volumes:
- name: podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
Use downward API to expose pod information
Volume of type downwardAPI
provides pod information