In Kubernetes, there are two kinds of user account: service account and user account. All the requests to the API server are sent either by a service account or a user account. Service accounts are managed by the Kubernetes API. In contrast, user accounts are not managed and stored in Kubernetes. The following is a simple comparison of service and user accounts:
Service account | User account | |
Scope | Namespaced | Global |
Used by | Processes | Normal user |
Created by | API server or via API calls | Administrators, not by API calls |
Managed by | API server | Outside the cluster |
By default, a Kubernetes cluster creates different service accounts for different purposes. In GKE, there are a bunch of service accounts that have been created:
// list service account across all namespaces # kubectl get serviceaccount --all-namespaces NAMESPACE NAME SECRETS AGE default default 1 5d kube-public default 1 5d kube-system namespace-controller 1 5d kube-system resourcequota-controller 1 5d kube-system service-account-controller 1 5d kube-system service-controller 1 5d chapter5 default 1 2h ...
Kubernetes will create a default service account in each namespace, which will be used if no service account is specified in pod specification during pod creation. Let's take a look at how the default service account acts for our chapter5 namespace:
# kubectl describe serviceaccount/default Name: default
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: default-token-52qnr
Tokens: default-token-52qnr
Events: <none>
We can see that the service account is basically using mountable secrets as tokens. Let's dig into what content is inside the token:
// describe the secret, the name is default-token-52qnr here # kubectl describe secret default-token-52qnr Name: default-token-52qnr Namespace: chapter5 Annotations: kubernetes.io/service-account.name: default
kubernetes.io/service-account.uid: 6bc2f108-dae5-11e8-b6f4-42010a8a0244 Type: kubernetes.io/service-account-token Data ==== ca.crt: # the public CA of api server. Base64 encoded. namespace: # the name space associated with this service account. Base64 encoded token: # bearer token. Base64 encoded
The service account secret will be automatically mounted to the /var/run/secrets/kubernetes.io/serviceaccount directory. When the pod accesses the API server, the API server will check the cert and token to do the authentication.