Understanding Service Account Credentials in Kubernetes Pods
Kubernetes Service Accounts are a powerful feature that enable applications to access Kubernetes APIs and resources within a cluster. Service Accounts provide a secure and convenient way to authenticate and authorize access to Kubernetes resources. When a Pod is created in Kubernetes, it is automatically assigned a Service Account, and the Service Account contains a token that can be used to authenticate requests to the Kubernetes API.
We will take a detailed look at how Service Account credentials are loaded and used in Kubernetes Pods. We will also describe the files that are mounted in the /var/run/secrets/kubernetes.io/serviceaccount/ directory of the Pod's container.
Loading Service Account Credentials
In a Kubernetes Pod, the Service Account credentials are automatically mounted as a volume in the container. The volume is named default-token-<token_id> and is located at /var/run/secrets/kubernetes.io/serviceaccount/ inside the container. The Service Account volume contains two important files: token and ca.crt.
The token file contains the Service Account token that can be used to authenticate requests to the Kubernetes API. The ca.crt file contains the Kubernetes CA certificate that can be used to validate the secure connection to the Kubernetes API server.
To use the Service Account token, an application running in a Kubernetes Pod can make a call to the Kubernetes API server using the Kubernetes client library for the language of choice. The client library automatically detects the Service Account credentials and uses them to authenticate the request.
For example, in a Python application, the Kubernetes client library can be used to list all the Pods running in a particular namespace as follows:
from kubernetes import client, config
config.load_incluster_config()
v1 = client.CoreV1Api()
ret = v1.list_namespaced_pod(namespace='default')
for i in ret.items:
print(i.metadata.name)The config.load_incluster_config() call detects the Service Account credentials and loads them into the Kubernetes client library. The client library then uses these credentials to authenticate the request to the Kubernetes API server.
Using Service Account Credentials
Once the Service Account credentials are loaded into the application, they can be used to make authenticated requests to the Kubernetes API. For example, the kubectl command-line tool uses Service Account credentials to authenticate requests to the Kubernetes API.
To use the Service Account credentials in a Kubernetes Pod, an application can make authenticated requests to the Kubernetes API server using the Service Account token. The token can be accessed from the token file in the Service Account volume.
For example, the following cURL command can be used to list all the Pods running in a Kubernetes namespace:
curl https://kubernetes.default.svc/api/v1/namespaces/default/pods \
--header "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
--cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crtThe $(cat /var/run/secrets/kubernetes.io/serviceaccount/token) command retrieves the Service Account token from the token file in the Service Account volume, and the --header "Authorization: Bearer" option includes the token in the authorization header of the request.
The --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt option specifies the path to the Kubernetes CA certificate that can be used to validate the secure connection to the Kubernetes API server.
Description of Service Account Files
The Service Account volume mounted in the Pod’s container contains two important files: token and ca.crt.
The token file contains a JSON Web Token (JWT) that includes the Service Account's identity and a signature. The JWT is used to authenticate requests to the Kubernetes API server.
The Service Account token is automatically rotated by Kubernetes, and the new token is stored in the same default-token-<token_id> volume. Applications can continue to use the same token without any interruption.
The ca.crt file in the Service Account volume contains the Kubernetes CA certificate. The CA certificate is used to verify the identity of the Kubernetes API server during TLS handshakes.
When an application makes an API request to the Kubernetes API server, it establishes a secure connection over TLS. During the TLS handshake, the Kubernetes API server presents its certificate to the application. The application uses the CA certificate to verify the signature of the Kubernetes API server’s certificate and to ensure that it is a trusted certificate.
If the certificate cannot be verified, the application will not establish a connection to the Kubernetes API server.
In summary, the Service Account volume mounted in a Kubernetes Pod’s container contains two important files: token and ca.crt. The token file contains a JSON Web Token (JWT) that includes the Service Account's identity and a signature. The ca.crt file contains the Kubernetes CA certificate, which is used to verify the identity of the Kubernetes API server during TLS handshakes.
Conclusion
Kubernetes Service Accounts provide a secure and convenient way to authenticate and authorize access to Kubernetes resources. In a Kubernetes Pod, the Service Account credentials are automatically mounted as a volume in the container. The Service Account volume contains two important files: token and ca.crt, which can be used to authenticate requests to the Kubernetes API and validate the secure connection to the API server, respectively.
The Kubernetes client libraries automatically detect and use the Service Account credentials for authentication, making it easy to access Kubernetes resources from within a Pod. With Service Accounts, applications can access the Kubernetes API server and other resources within the cluster securely and conveniently.
