본문 바로가기
IT 잡지식/DevOps

[CKA] KodeKloud - Service Account

by 쯀리♥️ 2024. 7. 20.

안녕하세요, 쯀리입니다.

오늘은 Service Account을 배워보겠습니다. 

https://kubernetes.io/docs/concepts/security/service-accounts/

 

Service Accounts

Learn about ServiceAccount objects in Kubernetes.

kubernetes.io

https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

 

Configure Service Accounts for Pods

Kubernetes offers two distinct ways for clients that run within your cluster, or that otherwise have a relationship to your cluster's control plane to authenticate to the API server. A service account provides an identity for processes that run in a Pod, a

kubernetes.io

 


 

Service Account

Service Account는 클러스터 내의 애플리케이션(파드)에게 인증 정보를 제공하는 특별한 유형의 계정입니다. Service Account를 사용하면 애플리케이션이 클러스터 리소스에 접근할 수 있는 권한을 부여할 수 있습니다.

 

  • Service Account란?: 클러스터 내 애플리케이션에게 인증 정보를 제공하는 계정.
  • Service Account 생성: YAML 파일 또는 kubectl 명령어를 사용하여 생성.
  • Pod에 Service Account 할당: 파드 사양에서 serviceAccountName 필드로 할당.
  • Service Account 권한 부여 (RBAC): Role 또는 ClusterRole을 생성하고, 이를 RoleBinding 또는 ClusterRoleBinding으로 Service Account에 바인딩.
  • Service Account 토큰 사용: 파드 파일 시스템에 마운트된 토큰을 사용하여 API 서버에 접근.
  • Service Account와 Secrets: 자동 생성된 Secret을 통해 토큰 관리.

 

 

 


Quiz.

1. How many Service Accounts exist in the default namespace?

controlplane ~ ➜  k get serviceaccounts 
NAME      SECRETS   AGE
default   0         9m2s
dev       0         50s

2. What is the secret token used by the default service account?

controlplane ~ ➜  k describe serviceaccounts default
Name:                default
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   <none>
Tokens:              <none>
Events:              <none>

 

3. We just deployed the Dashboard application. Inspect the deployment. What is the image used by the deployment?

controlplane ~ ➜  k get deploy
NAME            READY   UP-TO-DATE   AVAILABLE   AGE
web-dashboard   1/1     1            1           86s

controlplane ~ ✖ k describe deploy web-dashboard
Name:                   web-dashboard
...
  Containers:
   web-dashboard:
    Image:      gcr.io/kodekloud/customimage/my-kubernetes-dashboard

gcr.io/kodekloud/customimage/my-kubernetes-dashboard

 

4. Wait for the deployment to be ready. Access the custom-dashboard by clicking on the link to dashboard portal.

 

5. What is the state of the dashboard? Have the pod details loaded successfully?

Failed입니다.

6. What type of account does the Dashboard application use to query the Kubernetes API?

ServiceAccount

7. Which account does the Dashboard application use to query the Kubernetes API?

Default

8. Inspect the Dashboard Application POD and identify the Service Account mounted on it.

controlplane ~ ➜  k describe po web-dashboard-6cbbc88b59-vs4jr | grep Service
Service Account:  default

9. At what location is the ServiceAccount credentials available within the pod?

controlplane ~ ➜  k describe po web-dashboard-6cbbc88b59-vs4jr
Name:             web-dashboard-6cbbc88b59-vs4jr
...
Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-tvqkn (ro)

/var/run/secrets/

10 . The application needs a ServiceAccount with the Right permissions to be created to authenticate to Kubernetes. The default ServiceAccount has limited access. Create a new ServiceAccount named dashboard-sa.

controlplane ~ ➜  vi dashboard-sa.yaml 
apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    kubernetes.io/enforce-mountable-secrets: "true"
  name: dashboard-sa

controlplane ~ ➜  k apply -f dashboard-sa.yaml 
serviceaccount/dashboard-sa created

controlplane ~ ➜  k get serviceaccount
NAME           SECRETS   AGE
default        0         27m
dev            0         19m
dashboard-sa   0         11s

 

11. We just added additional permissions for the newly created dashboard-sa account using RBAC.

If you are interested checkout the files used to configure RBAC at /var/rbac. We will discuss RBAC in a separate section.

controlplane /var/rbac ✖ cat dashboard-sa-role-binding.yaml 
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: ServiceAccount
  name: dashboard-sa # Name is case sensitive
  namespace: default
roleRef:
  kind: Role #this must be Role or ClusterRole
  name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
  apiGroup: rbac.authorization.k8s.io
  
  controlplane /var/rbac ✖ cat pod-reader-role.yaml 
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups:
  - ''
  resources:
  - pods
  verbs:
  - get
  - watch
  - list

 

12. Enter the access token in the UI of the dashboard application. Click Load Dashboard button to load Dashboard
Create an authorization token for the newly created service account, copy the generated token and paste it into the token field of the UI.

To do this, run kubectl create token dashboard-sa for the dashboard-sa service account, copy the token and paste it in the UI.

controlplane ~ ➜  kubectl create token dashboard-sa 
eyJhbGciOiJSUzI1NiIsImtpZCI6IjQ0YU5MX05WOGtGbkV5cFN1TEo1NlN2ekxXVHFhc2QwcFQ0emVYRDRVNDgifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiLCJrM3MiXSwiZXhwIjoxNzIxNDA4NzAzLCJpYXQiOjE3MjE0MDUxMDMsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwianRpIjoiOGQ0YjY3M2ItYzA4NC00YWUzLWJlYTUtNDE2ODRjYWM1YjYyIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0Iiwic2VydmljZWFjY291bnQiOnsibmFtZSI6ImRhc2hib2FyZC1zYSIsInVpZCI6IjlhZjJiMGM1LTVlZjItNDJkYS1hOTZiLTQ0OTRlNWRlYWQyMiJ9fSwibmJmIjoxNzIxNDA1MTAzLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkYXNoYm9hcmQtc2EifQ.n0C2akwT4cr8ITh1lF2k5cct9uWMOyivTcvASHmnNxqypUQEuQ6S-8YtxXqH5JitqvQEkYSFxeiQs_QAy0eGoQZjjyqbQUXObwVzDu1HvLtPwdlsC0zasjLj-skWvrhSkjcqF4wAK-luS_U01XorwfmPL2b6ruGP35rEjkk18Ft50QpPNVTXIU5mmV5YXduUspM5uGmeVsDI8I5bYlPbdePIYXm-vpc87e2Voq05E3Rnj1Fbf9yuxoHp6JuZAU0tD2_fe37DZJyXAtgbNNR7M8GDa9Sg8iLX-7lHYWyeC3vSxdJAuU9stwaK-POzlIcgR-lONM_fopwtn6mKH-Rh9A

 

13. You shouldn't have to copy and paste the token each time. The Dashboard application is programmed to read token from the secret mount location. However currently, the default service account is mounted. Update the deployment to use the newly created ServiceAccount

Edit the deployment to change ServiceAccount from default to dashboard-sa.

Deployment name: web-dashboard
Service Account: dashboard-sa
Deployment Ready
controlplane ~ ➜  k get deploy
NAME            READY   UP-TO-DATE   AVAILABLE   AGE
web-dashboard   1/1     1            1           20m

controlplane ~ ➜  kubectl set serviceaccount deploy/web-dashboard dashboard-sa
deployment.apps/web-dashboard serviceaccount updated

 

14.

Refresh the Dashboard application UI and you should now see the PODs listed automatically.

This time you shouldn't have to put in the token manually.

에러 없이 자동으로 토큰이 자동으로 추가되는 것을 확인 할 수 있습니다. 

 


 

 


참조

 Udemy Labs - Certified Kubernetes Administrator with Practice Tests

'IT 잡지식 > DevOps' 카테고리의 다른 글

[CKA] KodeKloud - Security Contexts  (0) 2024.07.24
[CKA] KodeKloud - Image Security  (0) 2024.07.20
[CKA] KodeKloud - Cluster Roles  (0) 2024.07.20
[CKA] KodeKloud -Role Based Access Controls  (0) 2024.07.19
[CKA] KodeKloud - KubeConfig  (0) 2024.07.18