Certified Kubernetes Application Developer - CKAD

Configuration

Solutions Service Account

In this lesson, we will explore how to inspect and modify service account configurations in Kubernetes, focusing on the Kubernetes dashboard application's interaction with the Kubernetes API.

──────────────────────────────

1. Identifying Service Accounts in the Default Namespace

To begin, check the number of service accounts in the default namespace by running:

kubectl get sa

The output might look like this:

controlplane ~ → kubectl get sa
NAME       SECRETS   AGE
default    0         20m
dev        0         35s

controlplane ~ →

This output shows two service accounts: default and dev.

──────────────────────────────

2. Checking the Secret Token for the Default Service Account

Next, verify whether the default service account has an associated secret token. Run the following command:

kubectl describe serviceaccount default

Inspect the "Tokens" section in the output. In this case, it indicates that no token is set.

──────────────────────────────

3. Inspecting the Dashboard Deployment

After deploying the dashboard application, inspect its deployment configuration and container image details.

  1. List Deployments:

    kubectl get deployments
    
  2. Describe the Dashboard Deployment:

    kubectl describe deployment web-dashboard
    

    Focus on the "Pod Template" section under "Containers." An example of the output is:

    Name:                   web-dashboard
    Namespace:              default
    CreationTimestamp:      Wed, 26 Jul 2023 22:41:47 +0000
    Labels:                 <none>
    Annotations:            deployment.kubernetes.io/revision: 1
    Selector:               name=web-dashboard
    Replicas:               1 desired | 1 updated | 1 total | 1 available | 0 unavailable
    StrategyType:           RollingUpdate
    MinReadySeconds:        0
    RollingUpdateStrategy:  25% max unavailable, 25% max surge
    Pod Template:
      Labels:  name=web-dashboard
      Containers:
       web-dashboard:
        Image:          gcr.io/kodekloud/customimage/my-kubernetes-dashboard
        Port:           8080/TCP
        Host Port:      0/TCP
        Environment:
          PYTHONUNBUFFERED:  1
        Mounts:        <none>
    Volumes:             <none>
    Conditions:
      Type             Status  Reason
      ----             ------  ------
      Available        True    MinimumReplicasAvailable
      Progressing      True    NewReplicaSetAvailable
    OldReplicaSets:     <none>
    NewReplicaSet:      web-dashboard-97c9c59f6 (1 replicas created)
    Events:
      Type    Reason                  Age   From                   Message
    

    At one point, an error occurs:

    pods is forbidden: User "system:serviceaccount:default:default" cannot list resource "pods" in API group "" in the namespace "default"
    

This error indicates that the dashboard application is using the default service account, which lacks the required permissions.

──────────────────────────────

4. Determining the Service Account Used by the Dashboard Application

The logs and error messages confirm that the default service account is being used. To verify which service account is mounted on the dashboard pod, execute:

kubectl get pod
kubectl describe pod <pod-name>

Within the pod description, locate the Service Account section, which should indicate it is set to "default." Additionally, note that the credentials are mounted from:

/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-swjvh (ro)

This directory is where the dashboard pod accesses its service account tokens and related secrets.

──────────────────────────────

5. Creating a New Service Account for the Dashboard

Since the default service account has limited permissions, create a new service account (named dashboard-sa) with enhanced rights.

  1. Create the New Service Account:

    kubectl create serviceaccount dashboard-sa
    

    You should see a confirmation message:

    serviceaccount/dashboard-sa created
    
  2. Review RBAC Configurations:

    Check the RBAC configuration files (e.g., dashboard-sa-role-binding.yaml and pod-reader-role.yaml) located in the /var/rbac/ directory. These files contain role and role-binding settings that grant additional permissions. For more details on RBAC, review the relevant documentation.

  3. Generate an Access Token:

    To authenticate with the dashboard application, generate an access token for dashboard-sa:

    kubectl create token dashboard-sa
    

    The output might be similar to:

    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhdmF0YXJzaW1lLmFwcGxpbWF0aW9uIiwibmFtZSI6ImRhc2hib2FyZC1zYSIsImlhdCI6MTY5MjkzMDM4OCwiZXhwIjoxNzA4Mzk2Mzg4LCJhdWQiOiJodHRwczovL2FkbWluLmRhc2hib2FyZC5jb20iLCJpc3MiOiJodHRwczovL3dlYi16YWhhYW5pdGUuY29tIn0.ksP0DhTDxueD9... (truncated)
    

    Copy the token and paste it into the dashboard UI. Once authenticated, you should see all the pods running within your cluster.

Dashboard Authentication

After generating the token for dashboard-sa, enter it into the dashboard UI to access the cluster's detailed information.

The image shows a Kubernetes dashboard with a running container named "web-dashboard" and its IP address, under a teal background.

──────────────────────────────

6. Updating the Deployment to Use the New Service Account

To eliminate the need for manual token retrieval, update the dashboard deployment so it automatically uses dashboard-sa.

  1. Export the Current Deployment Configuration:

    kubectl get deployment web-dashboard -o yaml > dashboard.yaml
    
  2. Update the Deployment YAML:

    Open dashboard.yaml in your preferred editor and locate the pod specification within the spec section. Add the serviceAccountName field with the value "dashboard-sa" under the pod spec. The updated portion should resemble:

    generation: 1
    name: web-dashboard
    namespace: default
    resourceVersion: "1024"
    uid: daaa0628-d1bd-4624-b5e3-9475f1958464
    spec:
      progressDeadlineSeconds: 600
      replicas: 1
      revisionHistoryLimit: 10
      selector:
        matchLabels:
          name: web-dashboard
      strategy:
        rollingUpdate:
          maxSurge: 25%
          maxUnavailable: 25%
        type: RollingUpdate
      template:
        metadata:
          creationTimestamp: null
          labels:
            name: web-dashboard
        spec:
          serviceAccountName: dashboard-sa
          containers:
          - env:
            - name: PYTHONUNBUFFERED
              value: "1"
            image: gcr.io/kodekloud/customimage/my-kubernetes-dashboard
            imagePullPolicy: Always
            name: web-dashboard
            ports:
            - containerPort: 8080
              protocol: TCP
            resources: {}
    
  3. Apply the Updated Configuration:

    kubectl apply -f dashboard.yaml
    

    You might see a warning about a missing annotation due to changes in resource management history; this warning is harmless as the configuration will be patched automatically.

  4. Verify the Deployment:

    Check the deployment status by running:

    kubectl get deployment
    

After applying these changes, refresh your dashboard application. The pod will now automatically mount the credentials for dashboard-sa, eliminating the need for manual token entry.

──────────────────────────────

Conclusion

By following these steps, you have accomplished the following:

  • Identified service accounts in the default namespace.
  • Inspected the token associated with the default service account.
  • Noted that the dashboard application was using a default account with insufficient permissions.
  • Created a new service account (dashboard-sa) with enhanced permissions using RBAC.
  • Updated the dashboard deployment to automatically use the new service account, streamlining the authentication process with the Kubernetes API.

Final Notes

Managing service accounts and RBAC configurations properly is vital for maintaining security and operational efficiency in your Kubernetes environment.

Watch Video

Watch video content

Previous
Service Account