• k8s
• StudyNotes
• ServiceAccounts

k8s/StudyNotes/ServiceAccounts

• used by e.g. Prometheus, Jenkins

• create

  kubectl create serviceaccount dashboard-sa
  kubectl get serviceaccount 

• Service acount obj, creates tokens in secrets that can be mounted and used by services.
  • External - export service account token
  • Internal - mount token in pod

• Token can be used in curl e.g.

  curl https://192.168.56.71:6443/api -insecure --header "Authorization: Bearer eyJ...

• Each namespace had it's own default serviceaccount, very limited, mounted to each pod automatically.

  $ kubectl describe pod my-k8s-pod
  ...
  Mounts:
    /var/run/secrets/kubernetes.io/serviceaccount from default-token-j4hkv (ro)
  ... 
  Volumes
    default-token-j4hkv:
      SecretName: default-token-j4hkv
  ...

• the volume mount, will create 3 files, ca.crt, namespace, token

• defaultservice account can be replaced by specifying serviceAccountName: in pod definition

  • can disable defaultservice auto mount with automountServiceAccountToken: false