487 words
2 minutes
Understanding Kubernetes Service Accounts - A Practical Guide

In our journey through Kubernetes RBAC, we’ve covered Roles, RoleBindings, ClusterRoles, and ClusterRoleBindings. Today, we’re diving into another crucial component of Kubernetes security: Service Accounts.

What are Service Accounts?#

In Kubernetes, there are two types of accounts:

  1. User Accounts: Used by humans (admins, developers, operators)
  2. Service Accounts: Used by processes running in pods to interact with the Kubernetes API

Service Accounts are crucial for applications running within your cluster that need to interact with the Kubernetes API or other services.

Creating and Managing Service Accounts#

Let’s start with the basics:

Creating a Service Account#

Terminal window
kubectl create serviceaccount my-app-sa

Viewing Service Accounts#

Terminal window
kubectl get serviceaccounts
# or
kubectl get sa

Hands-on: Using Service Accounts with RBAC#

Let’s walk through a practical example of creating and using a Service Account with RBAC.

Step 1: Create a Service Account#

Terminal window
kubectl create serviceaccount pod-reader-sa

Step 2: Create a Role#

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]

Save this as pod-reader-role.yaml and apply:

Terminal window
kubectl apply -f pod-reader-role.yaml

Step 3: Create a RoleBinding#

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
- kind: ServiceAccount
name: pod-reader-sa
namespace: default
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io

Save this as pod-reader-rolebinding.yaml and apply:

Terminal window
kubectl apply -f pod-reader-rolebinding.yaml

Step 4: Use the Service Account in a Pod#

Now, let’s create a pod that uses this Service Account:

apiVersion: v1
kind: Pod
metadata:
name: pod-reader-pod
spec:
serviceAccountName: pod-reader-sa
containers:
- name: my-container
image: busybox
command: ["sh", "-c", "while true; do kubectl get pods; sleep 10; done"]

Save this as pod-reader-pod.yaml and apply:

Terminal window
kubectl apply -f pod-reader-pod.yaml

This pod will use the pod-reader-sa Service Account, which has permissions to list pods in the default namespace.

Key Takeaways#

  1. Automation-Friendly: Service Accounts are ideal for automated processes and applications running in your cluster.
  2. Namespace Scoped: Unlike ClusterRoles, Service Accounts are namespace-specific.
  3. Default Service Account: Each namespace has a default Service Account, but it’s best practice to create specific ones for your applications.
  4. Token Authentication: Service Accounts use tokens for authentication, which are automatically mounted into pods.
  5. RBAC Integration: Service Accounts can be bound to Roles or ClusterRoles just like user accounts.

Best Practices#

  1. Least Privilege: Always grant the minimum necessary permissions to your Service Accounts.
  2. Unique Accounts: Create separate Service Accounts for different applications or components.
  3. Regular Audits: Periodically review your Service Accounts and their permissions.
  4. Avoid Using Default: Don’t rely on the default Service Account; create specific ones for your needs.
  5. Rotate Tokens: Regularly rotate Service Account tokens for enhanced security.

Conclusion#

Service Accounts are a fundamental part of Kubernetes security and RBAC. They allow you to grant specific permissions to processes running within your cluster, enabling secure interactions between your applications and the Kubernetes API. By understanding and properly implementing Service Accounts, you can significantly enhance the security posture of your Kubernetes deployments.


This blog post template provides a comprehensive look at Service Accounts in Kubernetes, based on the task you described. It includes practical examples, explanations of key concepts, and important takeaways. The content is structured to be both informative and hands-on, suitable for readers who want to understand and implement Service Accounts in their Kubernetes environments.

Understanding Kubernetes Service Accounts - A Practical Guide
https://mranv.pages.dev/posts/kubernetes-service-accounts-guide/
Author
Anubhav Gain
Published at
2024-10-01
License
CC BY-NC-SA 4.0