Kubernetes Security Concepts: Difference between revisions
Jump to navigation
Jump to search
Line 9: | Line 9: | ||
=User Account= | =User Account= | ||
=Service Account= | =Service Account= | ||
{{External|https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/}} | |||
Processes in containers inside [[Kubernetes_Pod_and_Container_Concepts#Pods_and_Service_Accounts|pods]] can contact the API server, and they need an identity when doing so. A service account provides the identity for processes that run in a the pod. Processes will authenticate using the identity provided by the service account. By default, in absence of specific configuration, the pods will authenticate as the [[#Default_Service_Account|default service account]] in the namespace they are running in. A specific service account name can be specified in the [[Kubernetes_Pod_Manifest#serviceAccountName|pod manifest]]. Service accounts are rendered in logs using the following pattern: "system:serviceaccount:''namespace'':''account-name'' (e.g. "system:serviceaccount:blue:default). | Processes in containers inside [[Kubernetes_Pod_and_Container_Concepts#Pods_and_Service_Accounts|pods]] can contact the API server, and they need an identity when doing so. A service account provides the identity for processes that run in a the pod. Processes will authenticate using the identity provided by the service account. By default, in absence of specific configuration, the pods will authenticate as the [[#Default_Service_Account|default service account]] in the namespace they are running in. A specific service account name can be specified in the [[Kubernetes_Pod_Manifest#serviceAccountName|pod manifest]]. Service accounts are rendered in logs using the following pattern: "system:serviceaccount:''namespace'':''account-name'' (e.g. "system:serviceaccount:blue:default). | ||
<font color=darkgray> | |||
TODO: | TODO: | ||
* https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/ | * https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/ | ||
</font> | |||
==Default Service Account== | ==Default Service Account== |
Revision as of 00:26, 10 August 2020
Internal
Transport Security
User Account
Service Account
Processes in containers inside pods can contact the API server, and they need an identity when doing so. A service account provides the identity for processes that run in a the pod. Processes will authenticate using the identity provided by the service account. By default, in absence of specific configuration, the pods will authenticate as the default service account in the namespace they are running in. A specific service account name can be specified in the pod manifest. Service accounts are rendered in logs using the following pattern: "system:serviceaccount:namespace:account-name (e.g. "system:serviceaccount:blue:default).
TODO:
Default Service Account
Each namespace comes with a default service account:
apiVersion: v1 kind: ServiceAccount metadata: name: default namespace: default secrets: - name: default-token-dddkl