Service account

In Kubernetes, there are two kinds of user account: service account and user account. All the requests to the API server are sent either by a service account or a user account. Service accounts are managed by the Kubernetes API. In contrast, user accounts are not managed and stored in Kubernetes. The following is a simple comparison of service and user accounts:

Service account User account
Scope Namespaced Global 
Used by Processes Normal user
Created by API server or via API calls Administrators, not by API calls
Managed by API server Outside the cluster

By default, a Kubernetes cluster creates different service accounts for different purposes. In GKE, there are a bunch of service accounts that have been created:

// list service account across all namespaces
# kubectl get serviceaccount --all-namespaces
NAMESPACE     NAME                         SECRETS   AGE
default       default                      1         5d
kube-public   default                      1         5d
kube-system   namespace-controller         1         5d
kube-system   resourcequota-controller     1         5d
kube-system   service-account-controller   1         5d
kube-system   service-controller           1         5d
chapter5      default                      1         2h
...

Kubernetes will create a default service account in each namespace, which will be used if no service account is specified in pod specification during pod creation. Let's take a look at how the default service account acts for our chapter5 namespace:

# kubectl describe serviceaccount/default
Name: default
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: default-token-52qnr
Tokens: default-token-52qnr
Events: <none>

We can see that the service account is basically using mountable secrets as tokens. Let's dig into what content is inside the token:

// describe the secret, the name is default-token-52qnr here
# kubectl describe secret default-token-52qnr
Name:       default-token-52qnr
Namespace:  chapter5
Annotations:  kubernetes.io/service-account.name: default
              kubernetes.io/service-account.uid: 6bc2f108-dae5-11e8-b6f4-42010a8a0244
Type: kubernetes.io/service-account-token
Data
====
ca.crt:     # the public CA of api server. Base64 encoded.
namespace:  # the name space associated with this service account. Base64 encoded
token:      # bearer token. Base64 encoded

The service account secret will be automatically mounted to the /var/run/secrets/kubernetes.io/serviceaccount directory. When the pod accesses the API server, the API server will check the cert and token to do the authentication. 

Specifying automountServiceAccountToken: false in the service account or pod specification could disable the auto-mount service account secret.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset