Kubernetes Security Concepts: Difference between revisions
Jump to navigation
Jump to search
Line 9: | Line 9: | ||
=Service Account= | =Service Account= | ||
A service account provides an identity for processes that run in a [[Kubernetes_Pod_and_Container_Concepts#Pods_and_Service_Accounts|pod]]. Pods that want to interact with the API Server will authenticate with a particular service account. By default, in absence of specific configuration, the pods will authenticate as the [[#Default_Service_Account|default service account]] in the namespace they are running in. Service accounts are rendered in logs using the following pattern: "system:serviceaccount:''namespace'':''account-name'' (e.g. "system:serviceaccount:blue:default). | A service account provides an identity for processes that run in a [[Kubernetes_Pod_and_Container_Concepts#Pods_and_Service_Accounts|pod]]. Pods that want to interact with the API Server will authenticate with a particular service account. By default, in absence of specific configuration, the pods will authenticate as the [[#Default_Service_Account|default service account]] in the namespace they are running in. A specific service account name can be specified in the [[Kubernetes_Pod_Manifest#serviceAccountName|pod manifest]]. Service accounts are rendered in logs using the following pattern: "system:serviceaccount:''namespace'':''account-name'' (e.g. "system:serviceaccount:blue:default). | ||
TODO: | TODO: |
Revision as of 00:18, 10 August 2020
Internal
Transport Security
Service Account
A service account provides an identity for processes that run in a pod. Pods that want to interact with the API Server will authenticate with a particular service account. By default, in absence of specific configuration, the pods will authenticate as the default service account in the namespace they are running in. A specific service account name can be specified in the pod manifest. Service accounts are rendered in logs using the following pattern: "system:serviceaccount:namespace:account-name (e.g. "system:serviceaccount:blue:default).
TODO:
- https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
- https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/
Default Service Account
Each namespace comes with a default service account:
apiVersion: v1 kind: ServiceAccount metadata: name: default namespace: default secrets: - name: default-token-dddkl