Saurabh Adhau's Blog

Service Accounts in Kubernetes

Saurabh Adhau's photo
Saurabh Adhau
·

4 min read

Service Accounts in Kubernetes

Table of contents

Introduction

Service Accounts in Kubernetes are special accounts designed for processes running in pods. They provide a mechanism for assigning and managing permissions for these processes, enabling them to interact with the Kubernetes API securely. Unlike user accounts, which are intended for human users, service accounts are meant for applications, workloads, or services within the cluster.

Components of a Service Account

  1. Service Account Resource

  2. Secrets

  3. Role-Based Access Control (RBAC)

Service Account Resource

A Service Account is a Kubernetes resource that can be created and managed using YAML files or kubectl commands. Each service account is associated with a set of credentials stored in Secrets, which are used by pods to authenticate to the Kubernetes API.

Creating a Service Account

You can create a service account using a YAML definition or kubectl. Here's an example using a YAML file:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-service-account
  namespace: my-namespace

Apply the YAML file with:

kubectl apply -f service-account.yaml

Alternatively, create it using kubectl:

kubectl create serviceaccount my-service-account --namespace my-namespace

Secrets

When a service account is created, Kubernetes automatically generates a secret that contains credentials (token) for the service account. This secret is then mounted into pods that use the service account, allowing them to authenticate to the Kubernetes API.

To view the secret created for a service account:

kubectl get secrets -n my-namespace

Role-Based Access Control (RBAC)

To control what a service account can do, you use RBAC policies. By creating Roles or ClusterRoles and binding them to the service account with RoleBindings or ClusterRoleBindings, you define the permissions granted to the service account.

Creating a Role and RoleBinding

Create a Role that allows read-only access to pods:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: my-namespace
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]

Create a RoleBinding to bind the Role to the service account:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods-binding
  namespace: my-namespace
subjects:
- kind: ServiceAccount
  name: my-service-account
  namespace: my-namespace
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

Apply the YAML files with:

kubectl apply -f role.yaml
kubectl apply -f rolebinding.yaml

Using Service Accounts in Pods

To use a service account in a pod, you specify the service account in the pod's specification. Kubernetes will automatically mount the secret containing the service account's token into the pod, allowing it to authenticate to the Kubernetes API.

Example Pod Definition

apiVersion: v1
kind: Pod
metadata:
  name: my-pod
  namespace: my-namespace
spec:
  serviceAccountName: my-service-account
  containers:
  - name: my-container
    image: nginx

Apply the pod definition with:

kubectl apply -f pod.yaml

Use Cases for Service Accounts

  1. Application Authentication: Service accounts allow applications running in pods to authenticate to the Kubernetes API securely. This is useful for applications that need to interact with Kubernetes resources, such as controllers or operators.

  2. CI/CD Pipelines: Service accounts can be used in CI/CD pipelines to perform tasks such as deploying applications, managing resources, or running tests against the Kubernetes cluster.

  3. Monitoring and Logging: Monitoring and logging agents running in pods can use service accounts to read metrics and logs from the Kubernetes API.

  4. Multi-Tenancy: In multi-tenant environments, service accounts help isolate tenants by assigning different permissions to different service accounts, ensuring that tenants can only access their own resources.

Benefits of Service Accounts

  • Security: Service accounts provide a secure way to manage and authenticate applications running in pods. By using tokens and RBAC, you can enforce fine-grained access control policies.

  • Isolation: Service accounts help isolate workloads and tenants by providing separate credentials and permissions for different applications or services.

  • Flexibility: Service accounts can be easily created, managed, and assigned different roles and permissions, providing flexibility in managing access to Kubernetes resources.

Conclusion

Service accounts are a fundamental component of Kubernetes security and access control. By understanding and utilizing service accounts, you can ensure that applications running in your cluster have the appropriate level of access to the Kubernetes API, enhancing both security and functionality. Whether for application authentication, CI/CD pipelines, monitoring, or multi-tenancy, service accounts provide a robust mechanism for managing permissions and interactions within your Kubernetes environment.

service account Kubernetesk8sDevopsDevops articlesDevOps Journey#DevopscommunityDevOps trendsDevOps tools