Prerequisites
kubectl create -f mypod-sa.yaml.
kubectl get pods
kubectl exec -it mypod-sa -- /bin/bash
TOKEN=`cat var/run/secret/kubernetes.io/serviceaccount/token` curl https://Kubernetescluster -k --header "Authorization: Bearer $TOKEN"
Every Service account will be associated with a secret which is the older Kubernetes model it was automatic but now that will be hidden in the latest Kubernetes 1.22 onwards. I'm working on the Kubernetes 1.25 version let's see how it will be now. here I am working on the KillerCoda builtin Kubernetes cluster. I would like to create a ServiceAccount and for it Secret object then that will be used to run a deployment, which is the common requirment in most of the real time projects.
Now I will create a custom serviceaccount, which will be more privileaged to work with deployments.
kubectl create serviceaccount vt-deploy-sa --dry-run=client -o yaml kubectl create serviceaccount vt-deploy-sa --dry-run=client -o yaml > vt-deploy-sa.yaml #Before running creating sa kubectl get serviceaccounts kubectl create -f vt-deploy-sa.yaml #Confirm it kubectl get serviceaccounts kubectl describe sa vt-deploy-saHere important rule you need to understand is, One Pod can have one serviceaccount. But in reverse to this, One serviceaccount can be attached with multiple Pods. Let's examine the default serviceaccount what authorized to do?
kubectl auth can-i create pods --as=system:serviceaccount:default:defaultto understand depth of the above command check about default serviceaccount used --as option with system:serviceaccount:NAMESPACE:SERVICEACCOUNTNAME
When we create our custom serviceaccount we can define our own policy that could be telling what could be done such as list, create, delete etc actions. And that is needs a mapping which is done by Role and RoleBindings. Role is where I am allowed to define the policies for user,group,serviceaccount which it is about to bind. Then I am going to create the RoleBinding which will actually bind the serviceaccount with the Role which have policies.
kubectl create role deploy-admin --verb=create,list,get,delete --resource=deploymentsHere deploy-admin role is defined with create,list,get, delete actions on the deployment objects.
kubectl create rolebinding deploy-rb --role=deploy-admin --serviceaccount=default:vt-deploy-sahere serviceaccont is defined with the namespace followed by custom serviceaccont. Now let's try the deployment with serviceaccount.
kubectl create deploy webapp --image=tomcat \ --replicas=4 --dry-run=client -o yaml > webapp-deploy.yaml vi webapp-deploy.yaml # removed null word containing lines apiVersion: apps/v1 kind: Deployment metadata: name: webapp spec: replicas: 4 selector: matchLabels: app: webapp template: metadata: labels: app: webapp spec: serviceAccountName: vt-deploy-sa containers: - image: tomcat name: tomcat # Create deployment kubectl create -f webapp-deploy.yaml # list the deploy with default and then custom serviceaccount kubectl get deploy --as=system:serviceaccount:default:default kubectl get deploy --as=system:serviceaccount:default:vt-deploy-saNow you ccan observe the difference between default serviceaccount vs custom serviceaccount capabilities.