Skip to content

Kubernetes Service Account and ClusterRoleBinding

A ServiceAccount in Kubernetes provides an identity for processes that run in a Pod, allowing them to interact with the Kubernetes API.^[400-devops__06-Kubernetes__k8s-learning__linux__03-dashboard__README.md]

To grant these identities specific permissions, Kubernetes uses Role-Based Access Control (RBAC) resources. A ClusterRoleBinding is a specific type of RBAC resource used to grant a ServiceAccount permissions at the cluster level (scope: across all namespaces).^[400-devops__06-Kubernetes__k8s-learning__linux__03-dashboard__README.md]

Usage Workflow

The process of setting up an identity for cluster-level access typically involves creating the ServiceAccount and the ClusterRoleBinding together.^[400-devops__06-Kubernetes__k8s-learning__linux__03-dashboard__README.md]

For example, to create an administrative user for a resource like the Kubernetes Dashboard, you would apply a configuration that creates both the account and the binding simultaneously^[400-devops__06-Kubernetes__k8s-learning__linux__03-dashboard__README.md].

[kubectl](<./kubectl.md>) apply -f 02-dashboard-account.yaml 
# Output example:
# serviceaccount/admin-user created
# clusterrolebinding.rbac.authorization.k8s.io/admin-user created

Authentication Tokens

Once a ServiceAccount is created, Kubernetes automatically generates a Secret that contains the authentication token (often found in the .secrets[0].name field of the ServiceAccount).^[400-devops__06-Kubernetes__k8s-learning__linux__03-dashboard__README.md] To authenticate as this identity, you must retrieve the token from this secret.^[400-devops__06-Kubernetes__k8s-learning__linux__03-dashboard__README.md]

The standard method to decode and retrieve the token involves querying the secret and using base64decode.^[400-devops__06-Kubernetes__k8s-learning__linux__03-dashboard__README.md]

[kubectl](<./kubectl.md>) -n kubernetes-dashboard get secret $([kubectl](<./kubectl.md>) -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}") -o go-template="{{.data.token | base64decode}}"

Sources

^[400-devops__06-Kubernetes__k8s-learning__linux__03-dashboard__README.md]