In Kubernetes, Service Accounts play a pivotal role in governing permissions and authentication for applications running within pods. Let's dive into key commands and concepts related to Service Accounts.
Service Account Operations
Create a Service Account
Create a new Service Account:
kubectl create sa <sa-name>
View Service Accounts
List all Service Accounts in the current namespace:
kubectl get sa
Describe a Service Account
Get detailed information about a specific Service Account:
kubectl describe sa <sa-name>
Fetch Token from Service Account
Retrieve the token associated with a Service Account:
kubectl describe sa <sa-name> # provides the associated secret name
kubectl describe secret <secret-name> # fetches the token stored in the secret
Create a Pod with a Service Account
Run a pod using a specific Service Account:
kubectl run nginx --image=nginx --serviceaccount=myuser --dry-run=client -o yaml > pod.yaml
kubectl apply -f pod.yaml
When a Service Account is used inside a pod, the secret for that Service Account is mounted as a volume inside the pod.
Pod-level Service Account
Specify the Service Account at the pod level:
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
serviceAccountName: myuser
containers:
- name: mycontainer
image: myimage
User vs. Service Account
A user makes requests to the API server through kubectl using their user account.
A process running inside a container makes requests to the API server using a Service Account.
Both user accounts and Service Accounts have associated permissions.
Remember: Service Accounts are injected into the pod and can be set at both the pod and deployment levels.
Harness the power of Service Accounts to enhance security and control within your Kubernetes environment.
Happy Kuberneting!
Top comments (0)