Kubernetes Security Concepts: Difference between revisions
| Line 13: | Line 13: | ||
Processes in containers inside [[Kubernetes_Pod_and_Container_Concepts#Pods_and_Service_Accounts|pods]] can contact the API server, and they need an identity when doing so. A service account provides the identity for processes that run in a the pod. Processes will authenticate using the identity provided by the service account. By default, in absence of specific configuration, the pods will authenticate as the [[#Default_Service_Account|default service account]] in the namespace they are running in. A specific service account name can be specified in the [[Kubernetes_Pod_Manifest#serviceAccountName|pod manifest]] - also see [[#Non-Default_Service_Accounts|Non-Default Service Accounts]] below. | Processes in containers inside [[Kubernetes_Pod_and_Container_Concepts#Pods_and_Service_Accounts|pods]] can contact the API server, and they need an identity when doing so. A service account provides the identity for processes that run in a the pod. Processes will authenticate using the identity provided by the service account. By default, in absence of specific configuration, the pods will authenticate as the [[#Default_Service_Account|default service account]] in the namespace they are running in. A specific service account name can be specified in the [[Kubernetes_Pod_Manifest#serviceAccountName|pod manifest]] - also see [[#Non-Default_Service_Accounts|Non-Default Service Accounts]] below. | ||
The credentials (token) for a service account is placed into the filesystem of each container of the pod at <code>/var/run/secrets/kubernetes.io/serviceaccount/ca.crt</code>. <font color=darkgray>The default namespace to be used for namespaced API operations is placed on the filesystem of each container of the pod at <code>/var/run/secrets/kubernetes.io/serviceaccount/namespace</code></font>. | The credentials (token) for a service account is placed into the filesystem of each container of the pod at <code>/var/run/secrets/kubernetes.io/serviceaccount/ca.crt</code>. <font color=darkgray>The default namespace to be used for namespaced API operations is placed on the filesystem of each container of the pod at <code>/var/run/secrets/kubernetes.io/serviceaccount/namespace</code></font>. Service accounts are rendered in logs using the following pattern: "system:serviceaccount:''namespace'':''account-name'' (e.g. "system:serviceaccount:blue:default). | ||
Service accounts are rendered in logs using the following pattern: "system:serviceaccount:''namespace'':''account-name'' (e.g. "system:serviceaccount:blue:default). | |||
<font color=darkgray> | <font color=darkgray> | ||
Revision as of 00:42, 10 August 2020
Internal
Transport Security
User Account
Service Account
Processes in containers inside pods can contact the API server, and they need an identity when doing so. A service account provides the identity for processes that run in a the pod. Processes will authenticate using the identity provided by the service account. By default, in absence of specific configuration, the pods will authenticate as the default service account in the namespace they are running in. A specific service account name can be specified in the pod manifest - also see Non-Default Service Accounts below.
The credentials (token) for a service account is placed into the filesystem of each container of the pod at /var/run/secrets/kubernetes.io/serviceaccount/ca.crt. The default namespace to be used for namespaced API operations is placed on the filesystem of each container of the pod at /var/run/secrets/kubernetes.io/serviceaccount/namespace. Service accounts are rendered in logs using the following pattern: "system:serviceaccount:namespace:account-name (e.g. "system:serviceaccount:blue:default).
TODO: automountServiceAccountToken: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server
Default Service Account
Each namespace comes with a default service account:
apiVersion: v1
kind: ServiceAccount
metadata:
name: default
namespace: default
secrets:
- name: default-token-dddkl
A pod whose service account was not explicitly configured will run with the default service account fo r its namespace:
apiVersion: v1
kind: Pod
spec:
containers:
- name: [...]
[...]
[...]
serviceAccount: default
serviceAccountName: default
[...]
Non-Default Service Accounts
To use a non-default service account, set spec.serviceAccountName field of the pod manifest. The service account has to exist at the time the pod is created, or it will be rejected. If the pod was already created, the service account cannot be updated.