Prerequisites
Kubernetes cluster Up and running
Let's take the scenario where we get need to connect with the pods, nodes, deployments and other resources in the Kubernetes cluster. you might be working with the automated build with the CICD pipelines to interconnect with each other resources. Pod is going to work with the planned application deployments.
If you're working in DevSecOps you need to focus on the regular monthly maintenance OS patching scheduled in this case Kubernetes node maintenance should be done from a pod.
In the above two scenarios there is a need of service account inside the pod. When Kubernetes cluster is created at the same time service account also created and its name is default. We can also create our own service accounts using the following command
Every service account is associated with the secret where service account name is as first part for the secret name followed by token word will be makes it. Example default account has secret as default-token-****.
Here I am going to work in a pod which needs authentication using the service account which created by me. To make this happen need to add a line in the pod definition, under spec section add line as serviceAccount followed by its value. Proceed to create a testing pod.
kubectl create -f mypod-sa.yaml.
To know what Pods are running in this cluster run
kubectl get pods
Let's go head and see description of pod. Inside the Pod there is a volumeMount configured and it is accessible in specific path of container.
kubectl exec -it mypod-sa -- /bin/bash
Inside the pod
ls -lrt /var/run/secret/kubernetes.io/serviceaccount
Here we can see the namespace, token, and certificates file.
TOKEN=`cat var/run/secret/kubernetes.io/serviceaccount/token` curl https://Kubernetescluster -k --header "Authorization: Bearer $TOKEN"
Just this may be failed. This particular service account which is present in the pod. This cannot have the permissions so the other message saying reason as forbidden.
Now what I am going to do investigate why that is having the permission issue. We need to create a role and rolebinding that associate with service account.
Now all I want to do is same commnd previously executed command from the pod as run early.
Every Service account will be associated with a secret which is the older Kubernetes model it was automatic but now that will be hidden in the latest Kubernetes 1.22 onwards. I'm working on the Kubernetes 1.25 version let's see how it will be now. here I am working on the KillerCoda builtin Kubernetes cluster. I would like to create a ServiceAccount and for it Secret object then that will be used to run a deployment, which is the common requirment in most of the real time projects.
Now I will create a custom serviceaccount, which will be more privileaged to work with deployments.
kubectl create serviceaccount vt-deploy-sa --dry-run=client -o yaml kubectl create serviceaccount vt-deploy-sa --dry-run=client -o yaml > vt-deploy-sa.yaml #Before running creating sa kubectl get serviceaccounts kubectl create -f vt-deploy-sa.yaml #Confirm it kubectl get serviceaccounts kubectl describe sa vt-deploy-saHere important rule you need to understand is, One Pod can have one serviceaccount. But in reverse to this, One serviceaccount can be attached with multiple Pods. Let's examine the default serviceaccount what authorized to do?
kubectl auth can-i create pods --as=system:serviceaccount:default:defaultto understand depth of the above command check about default serviceaccount used --as option with system:serviceaccount:NAMESPACE:SERVICEACCOUNTNAME
When we create our custom serviceaccount we can define our own policy that could be telling what could be done such as list, create, delete etc actions. And that is needs a mapping which is done by Role and RoleBindings. Role is where I am allowed to define the policies for user,group,serviceaccount which it is about to bind. Then I am going to create the RoleBinding which will actually bind the serviceaccount with the Role which have policies.
kubectl create role deploy-admin --verb=create,list,get,delete --resource=deploymentsHere deploy-admin role is defined with create,list,get, delete actions on the deployment objects.
kubectl create rolebinding deploy-rb --role=deploy-admin --serviceaccount=default:vt-deploy-sahere serviceaccont is defined with the namespace followed by custom serviceaccont. Now let's try the deployment with serviceaccount.
kubectl create deploy webapp --image=tomcat \ --replicas=4 --dry-run=client -o yaml > webapp-deploy.yaml vi webapp-deploy.yaml # removed null word containing lines apiVersion: apps/v1 kind: Deployment metadata: name: webapp spec: replicas: 4 selector: matchLabels: app: webapp template: metadata: labels: app: webapp spec: serviceAccountName: vt-deploy-sa containers: - image: tomcat name: tomcat # Create deployment kubectl create -f webapp-deploy.yaml # list the deploy with default and then custom serviceaccount kubectl get deploy --as=system:serviceaccount:default:default kubectl get deploy --as=system:serviceaccount:default:vt-deploy-saNow you ccan observe the difference between default serviceaccount vs custom serviceaccount capabilities.
No comments:
Post a Comment