Config - Service Accounts

Question 1

What kind of accounts exist in Kubernetes? Who are they used by?

Answer 1

• User account (humans: admins, developers)
• Service Account (machines: monitoring application that interacts with Kubernetes API)

Question 2

What are Service Accounts used for?

Answer 2

• used for authenticating a machine/appliaction that wants to interact with the kube-api
• like a dashboard, that pulls information from the api

Question 3

How do you create a Service Account?

Answer 3

‘kubectl create serviceaccount < account-name>’

Question 4

What is created with the creation of the service account and where must it be used? (Deprecated)

Answer 4

• simultaneously with the serviceaccount a token is created
• the token must be used by the external appliaction wanting to interact with the kube api
• Token is stored as a secret object

Question 5

What is the sequence when a service account is created?

Answer 5

• create service account
• create token
• create secret-object to include the token
• link secret object to service account

Question 6

What is the token generated with a service account used as and when?

Answer 6

• during REST-API calls
• used as a Authentication Bearer Token

Question 7

What is different, when the application itself is also hosted on the cluster?

Answer 7

Process can be done easier:
- by mounting the secret-object as a volume in the pod, hosting the third-party application

Question 8

By default how many service accounts are created?

• -

Answer 8

• one ‘default’ service account per namespace

Question 9

When are the ‘default’ service accounts used?

Answer 9

• whenever a pod is created, the default secret object is mounted as a volumeMount to that pod

Question 10

What is the default service account allowed to do?

Answer 10

• limited capabilities
• only allowed to run basic Kubernetes api queries

Question 11

How do you define a Service Account for a pod?

Answer 11

Pod yaml:

spec: 
 containers:
 
  serviceAccountName: dashboard-sa

Testsss

Question 12

How can you explicitly specify not to use the default service account?

Answer 12

in pod-yaml, under spec:

automountServiceAccountToken: false

Question 13

What is the purpose of the TokenRequestAPI?

Answer 13

• to provide a way to provision Kubernetes Service Account tokens that are more secure and scalable
• as the default token has no expiery date

Question 14

What has changed with version 1.22?

Answer 14

• when a new pod is created it no longer receives the default token
• instead a token with a defined lifetime is generated through the TokenRequestAPI by the service account admission controller
• this token is then mounted as a projected volume to the pod

Question 15

What changed with version 1.24?

Answer 15

• when a service account is created it no longer creates a token / secret object
• you must run the command ‘kubectl create token < service-account-name>’ to generate a token for that service
• it has a expiery date

Question 16

With what command can you create a token for a certain service account?

Answer 16

‘kubectl create token dashboard-sa’

Question 17

What happens when you create a token for a existing service account?

Answer 17

• the token gets automatically configured for the service account
• when the service account is mounted, it uses the token for communication