Help Center/ Cloud Container Engine/ Kubernetes Basics/ Authentication and Authorization/ Service Accounts

Updated on 2024-10-10 GMT+08:00

View PDF

Service Accounts

All access requests to Kubernetes resources are processed by the API Server, regardless of whether the requests are from an external system. Therefore, the requests must be authenticated and authorized before they are sent to Kubernetes resources.

Authentication: authenticates user identities. Kubernetes uses different authentication rules for external and internal service accounts. For details, see Authentication and ServiceAccounts.
Authorization: controls users' access to resources. Role-based access control (RBAC) is used to authorize users to access resources. For details, see RBAC.

Figure 1 Authentication and authorization of the API Server

Authentication and ServiceAccounts

Kubernetes users are classified as service accounts (ServiceAccounts) and common accounts.

A ServiceAccount is bound to a namespace and associated with a set of credentials. When a pod is created, the token is mounted to the pod so that the pod can be called by the API server.
Kubernetes does not come with pre-built objects for managing common accounts. Instead, external services are used for this purpose. For example, CCE users are managed through Identity and Access Management (IAM).

ServiceAccounts in Kubernetes are resources that exist at the namespace level, just like pods and ConfigMaps. When a namespace is created, the system automatically generates a ServiceAccount named default in the namespace.

You can run the following command to check ServiceAccounts:

kubectl get sa

NAME     SECRETS   AGE
default  1         30d

In clusters earlier than v1.21, a token is obtained by mounting the secret of the service account to a pod. Tokens obtained this way are permanent. This approach is no longer recommended starting from version 1.21. Service accounts will stop auto creating secrets in clusters from version 1.25.
In clusters of version 1.21 or later, you can use the TokenRequest API to obtain the token and use the projected volume to mount the token to the pod. Such tokens are valid for a fixed period. When the mounting pod is deleted, the token automatically becomes invalid. For details, see Service Account Token Security Improvement.
If you need a token that never expires, you can also manually manage secrets for service accounts. Although a permanent service account token can be manually created, you are advised to use a short-lived token by calling the TokenRequest API for higher security.

In clusters earlier than 1.25, a secret is automatically created for each ServiceAccount. In clusters 1.25 or later, a secret is not automatically created for each ServiceAccount. The following describes how to check the statuses of ServiceAccounts in clusters earlier than 1.25 and in clusters 1.25 or later.

In a cluster earlier than 1.25, run the following command to check the status of the default ServiceAccount.

kubectl describe sa default

If information similar to the following is displayed, the default-token-vssmw secret is automatically created for the ServiceAccount.

Name:                  default
Namespace:             default
Labels:                <none>
Annotations:           <none>
Image pull secrets:    <none>
Mountable secrets:     default-token-vssmw
Tokens:                default-token-vssmw
Events:                <none>

In a cluster 1.25 or later, run the following command to check the status of the default ServiceAccount.

kubectl describe sa default

According to the command output, no secret is automatically created for the default ServiceAccount.

Name:                     default
Namespace:                default 
Labels:                   <none>
Annotations:              <none>
Image pull secrets:       <none>
Mountable secrets:        <none>
Tokens:                   <none>
Events:                   <none>

When defining a pod, you can assign a ServiceAccount to it by specifying the account name in the file. If no account name is specified, the default ServiceAccount will be used. When receiving a request with an authentication token, the API Server uses the token to check whether the ServiceAccount associated with the client that sends the request allows the request to be executed.

Creating a ServiceAccount

Take a cluster 1.29 as an example. Run the following command to create a ServiceAccount in the default namespace:

kubectl create serviceaccount sa-example
```
serviceaccount/sa-example created
```
Run the following command to check whether sa-example has been created. If sa-example is displayed in the NAME column, it has been created.

kubectl get sa
```
NAME            SECRETS   AGE
default         1         30d
sa-example      0         2s
```
Because the cluster version used in this case is later than 1.25, the ServiceAccount will not have a secret created automatically. To check if a secret was created, use the following command to view the ServiceAccount details. If the output shows none for Mountable secrets and Tokens, then no secret was automatically created for the ServiceAccount.

kubectl describe sa sa-example
```
Name:                   sa-example
Namespace:              default
Labels:                 <none>
Annotations:            <none>
Image pull secrets:     <none>
Mountable secrets:      <none>
Tokens:                 <none>
Events:                 <none>
```

In this example, manually manage the secret to obtain a token that never expires. Use the following command to manually create a secret named sa-example-token and associate it with the sa-example ServiceAccount.

kubectl apply -f - <<EOF
apiVersion: v1 
kind: Secret 
metadata:
  namespace: default   
  name: sa-example-token   
  annotations:     
    kubernetes.io/service-account.name: sa-example 
type: kubernetes.io/service-account-token 
EOF

Check whether sa-example-token has been created. If sa-example-token is present in secrets of the default namespace, then it has been created.

kubectl get secrets

NAME                        TYPE                                    DATA        AGE
default-secret              kubernetes.io/dockerconfigjson          1           6d20h
paas.elb                    cfe/secure-opaque                       1           6d20h
sa-example-token            kubernetes.io/service-account-token     3           16s

Check the secret content. You can find the ca.crt, namespace, and token data.

kubectl describe secret sa-example-token

Name:         sa-example-token
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: sa-example
              kubernetes.io/service-account.uid: 4b7d3e19-1dfe-4ee0-bb49-4e2e0c3c5e25

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1123 bytes
namespace:  7 bytes
token:      eyJhbGciOiJSU...

Check whether the ServiceAccount has been associated with the new secret, meaning if the ServiceAccount has obtained the token. The command output shows that sa-example is associated with sa-example-token.

kubectl describe sa sa-example

Name:                 sa-example
Namespace:            default
Labels:               <none>
Annotations:          <none>
Image pull secrets:   <none>
Mountable secrets:    <none>
Tokens:               sa-example-token
Events:               <none>

Using a ServiceAccount in a Pod

It is convenient to use a ServiceAccount in a pod. You only need to specify the name of the ServiceAccount. The following uses nginx:latest as an example to describe how to use a ServiceAccount in a pod.

Create a description file named sa-pod.yaml. mysql.yaml is an example file name. You can rename it as required.

vim sa-pod.yaml

To enable the pod to use the token from the manually created secret, you must mount the secret to the container. For details about how to mount the secret, see the code in bold in the description file.

The file content is as follows:

apiVersion: v1
kind: Pod
metadata:
  name: sa-pod
spec:
  serviceAccountName: sa-example                  #  Specify sa-example as the ServiceAccount used by the pod.
  imagePullSecrets:
  - name: default-secret
  containers:
  - image: nginx:latest
    name: container-0
    resources:
      limits:
        cpu: 100m
        memory: 200Mi
      requests:
        cpu: 100m
        memory: 200Mi
    volumeMounts:                             #  Mount the storage volume named secret-volume to the pod.
    - name: secret-volume
      readOnly: true                          #  The mounted storage volume is read-only.
      mountPath: "/etc/secret-volume"         #  Mount path of the storage volume in the container, which can be customized
  volumes:                                    #  Define a secret volume that can be used by the pod.
  - name: secret-volume                       #   Name of the secret volume, which can be customized
    secret:                                   #  Set the type of the storage volume to Secret.
      secretName: sa-example-token            #  Mount sa-example-token to the defined storage volume.

Create a pod and view its details. You can see that sa-example-token is mounted to the pod. The pod uses the token for authentication.

kubectl create -f sa-pod.yaml

The command output is as follows:
```
pod/sa-pod created
```
Use the following command to check whether the pod has been created:

kubectl get pod

In the command output, if sa-pod is in the Running state, the pod has been created.
```
NAME                     READY   STATUS              RESTARTS   AGE
sa-pod               1/1     running             0          5s
```

View the sa-pod details and check whether sa-example-token has been mounted to the pod.

kubectl describe pod sa-pod

The command output is as follows:

...
Containers:
  container-0:
    Container ID:   
    Image:          nginx:latest
    Image ID:       
    Port:           <none>
    Host Port:      <none>
    State:          Waiting
      Reason:       ImagePullBackOff
    Ready:          False
    Restart Count:  0
    Limits:
      cpu:     100m
      memory:  200Mi
    Requests:
      cpu:        100m
      memory:     200Mi
    Environment:  <none>
    Mounts:
       #  The sa-example-token has been mounted to the pod, and the pod can use the token for authentication.
      /etc/secret-volume from secret-volume (ro)                                 
       #  Automatically mounted TokenRequest, which can provide a short-term token
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-2s4sw (ro)  
...

You can also run the following command to view the corresponding files in the pod. (The path after cd is the same as the mount path of secret-volume.)

kubectl exec -it sa-pod -- /bin/sh

cd /etc/secret-volume

The command output is as follows:

ca.crt     namespace  token

Verify that the manually created ServiceAccount token can work.
1. In a Kubernetes cluster, a Service named kubernetes is created for the API Server by default. Pods can be accessed through this Service. After exiting the pod by pressing Ctrl+D, you can run the following command to view the detailed information about the Service:
  kubectl get svc
  
  The command output is as follows:
```
NAME           TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)          AGE
kubernetes     ClusterIP   10.247.0.1       <none>        443/TCP          34
```
2. Access the pod and check whether the pod can access pod resources in the cluster through the API Server without using the token.
  kubectl exec -it sa-pod -- /bin/sh
  
  curl https://10.247.0.1:443/api/v1/namespaces/default/pods
  
  If information similar to the following is displayed, the pod cannot directly access pod resources in the cluster through the API Server.
```
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
```
3. Configure the environment variables of ca.crt. Add the path of ca.crt to the CURL_CA_BUNDLE environment variable, which instructs the curl command to use the certificate file as the trust anchor.
  export CURL_CA_BUNDLE = /etc/secret-volume/ca.crt
4. Add the token content to TOKEN.
  TOKEN=$(cat /etc/secret-volume/token)
  
  Check whether TOKEN has been configured.
  
  echo $TOKEN
  
  If information similar to the following is displayed, the TOKEN has been configured as expected.
```
eyJhbGciOiJSUzI1NiIsImtpZCI6I...
```
5. Access the API Server using the configured TOKEN.
  curl -H "Authorization: Bearer $TOKEN" https://10.247.0.1:443/api/v1/namespaces/default/pods
  
  If information similar to the following is displayed, it means that the pod has passed authentication and the manually created ServiceAccount token is in effect. (If the API Server returns cannot get path \"/api/v1/namespaces/default/pods\"", the pod does not have the access permissions. The pod can access the API Server only after being authorized. For details about the authorization mechanism, see RBAC.)
```
"kind": "PodList",
  "apiVersion": "v1",
  "metadata": {
    "resourceVersion": "13267712"
  },
  "items": [
    {
      "metadata": {
        "name": "hpa-example-77b9b446f6-nc7b6",
...
```

Parent topic: Authentication and Authorization

Previous topic: Authentication and Authorization

Next topic: RBAC

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot