Kubernetes: Service Accounts

Service accounts in Kubernetes are non-human accounts that provide a unique identity for system components and application pods. They are namespaced objects within the Kubernetes API server. Every Kubernetes namespace has a default service account named default which has no special roles or privileges assigned to it. In Kubernetes versions prior to 1.24, a token was automatically generated when a service account was created and mounted in the pod’s file system. However, starting from Kubernetes 1.24, tokens are no longer generated automatically and must be obtained using the TokenRequest API or by creating a Secret API object for the token controller to populate with a service account token.

Kubernetes: Service Accounts

Table of Content

· ServiceAccount
  ∘ User account vs. Service account
  ∘ Default Service Account
  ∘ Service Account Token
· Short Name: sa
· ServiceAccount with YAML
· Commands

ServiceAccount

User account vs. Service account

user account vs. service account

Service accounts are a type of non-human account that provides a distinct identity for entities such as application pods and system components within a Kubernetes cluster. They are namespaced, meaning they are bound to a specific Kubernetes namespace, and can be easily managed using Kubernetes RBAC or other authorization mechanisms. Service accounts exist as objects within the Kubernetes API server.

Users are typically human beings who are authenticated and managed through external systems such as LDAP or Active Directory. While users can use TLS certificates to authenticate and be authorized in Kubernetes, setting up a more complex infrastructure is required to manage user identities and access control. Unlike service accounts, users are global and not represented as objects within the Kubernetes API server.

Default Service Account

Every Kubernetes namespace has a default service account named default that is created automatically when the namespace is created. By default, this default ServiceAccount has no special privileges or roles assigned to it.

default service account for each namespace

If a pod is created without specifying a service account, it will use the default ServiceAccount. However, you can also explicitly specify a service account to be used by a pod by including the spec.serviceAccountName field in the pod's YAML configuration file. For example:

pod.yaml

apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  serviceAccountName: my-service-account
  containers:
  - name: my-container
    image: my-image

default and specified service account

Service Account Token

Before Kubernetes version 1.24, ServiceAccount token secrets were automatically generated when a service account was created. When a pod is created, a token associated with the service account is automatically mounted into the pod’s filesystem. The mount path of the token is typically /var/run/secrets/kubernetes.io/serviceaccount. However, starting from Kubernetes 1.24, this process has changed. ServiceAccount token secrets are no longer automatically generated. Instead, you can use the TokenRequest API to acquire service account tokens or create a Secret API object for the token controller to populate with a service account token.

See “Urgent Upgrade Notes” in the 1.24 changelog file:
The LegacyServiceAccountTokenNoAutoGeneration feature gate is beta, and enabled by default. When enabled, Secret API objects containing service account tokens are no longer auto-generated for every ServiceAccount. Use the TokenRequest API to acquire service account tokens, or if a non-expiring token is required, create a Secret API object for the token controller to populate with a service account token by following this guide. (#108309, @zshihang)

Short Name: sa

$ kubectl api-resources
NAME             SHORTNAMES   APIVERSION    NAMESPACED   KIND
serviceaccounts  sa           v1            true         ServiceAccount

ServiceAccount with YAML

service-account.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: <service_account_name>
  namespace: <namespace_name>

Commands

ServiceAccount commands

1. Create a new service account in the current namespace.

$ kubectl create serviceaccount <service_account_name>

2. List all the service accounts in the current namespace.

$ kubectl get serviceaccounts

3. Retrieve detailed information about a specific service account.

$ kubectl describe serviceaccount <service_account_name>

4. Create a new token associated with the specified service account.

$ kubectl create token <service_account_name>

These are my personal notes for CKA exam preparation on Kubernetes. Please feel free to correct me if you notice any errors. 😊

Related Stories:

• Kubernetes: TLS certificates
• Kubernetes: Generate Certificates for Normal Users Using Certificates API

Reference:

Service Accounts

Configure Service Accounts for Pods

Managing Service Accounts

kubernetes/CHANGELOG-1.24.md at master · kubernetes/kubernetes