top of page

What is a good Use Case of Service Account in Kubernetes

Oct 3

2 min read

0

15

In the simplest terms, a Service Account enables machines such as applications, chatbots, pods, virtual machines, and others to interact with the Core API in Kubernetes. For instance, if you are creating a chatbot that receives commands to set up infrastructure in a Kubernetes Cluster, such as Deployments and Services, Service Accounts are used to grant both authentication and authorization to the chatbot.


The diagram illustrates how external applications, like a chatbot, utilize a service account to interact with the Kubernetes API to communicate with the cluster and issue commands. These commands include provisioning, status requests, and cluster-related inquiries. In this article, we will use curl to simulate an external application's request to the Kubernetes API using a token generated through a service account.


How Service Accounts Are Used

API call to Kubernetes API Server using Service Account
API call to Kubernetes API Server using Service Account


  1. Create a Service Account in Kubernetes

We create a service account that will be used by our python code to create token later.

service-account.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: python-code-sa
  namespace: development
	kubectl apply -f service-account.yaml
Kubernetes service account creation
Kubernetes service account creation

  1. Create a Role

    This role contains the RBAC that is allowed for the service account. Notice that the resources combines both application and infrastructure layer of Kubernetes.


role.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: python-code-role
  namespace: development
rules:
- apiGroups: ["apps", ""]
  resources: ["deployments", "pods", "nodes", "pv", "pvc"]
  verbs: ["get", "list", "create", "update", "delete"]

kubectl apply -f role.yaml
Kubernetes role creation
Kubernetes role creation

  1. Create Role Binding

    In order to use the role, it must be binded to service account. This is done through role binding.

role-binding.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: python-code-rolebinding
  namespace: development
subjects:
- kind: ServiceAccount
  name: python-code-sa
  namespace: development
roleRef:
  kind: ClusterRole
  name: python-code-role
  apiGroup: rbac.authorization.k8s.io

kubectl role binding
kubectl role binding

  1. Create the Token

    Once service account is binded to a role, it can be used by having a token passed as payload in the API call to kube-api server.


create a token

	kubectl create token python-code-sa --namespace development --duration 2h

Generate token in kubectl
Generate token in kubectl

You must keep the token generated for later use.


  1. Test the API via CURL

Set the environment variables

TOKEN=<Your Token Here>
$API_SERVER=https://[Your Kubernetes Cluster IP]:6443

Call the API via curl

For demo purposes let use get some information of the nodes

	curl -k -H "Authorization: Bearer $TOKEN" "$API_SERVER/api/v1/nodes"

Sample Result

curl via Kubernetes API Server
curl via Kubernetes API Server


bottom of page