Skip to content

ServiceAccount token authentication

ServiceAccount token authentication is a mechanism in Kubernetes that allows processes or external users to authenticate to the API server using a token associated with a ServiceAccount.^[400-devops-06-kubernetes-k8s-learning-01dashboard-dashboatdinstall.md, 400-devops__06-Kubernetes__k8s-learning__01.dashboard__dashboatd.install.md] This is commonly used to grant access to the Kubernetes Dashboard or to automate cluster operations.

Authentication Process

When a ServiceAccount is created, Kubernetes automatically generates a Secret containing a bearer token.^[400-devops-06-kubernetes-k8s-learning-01dashboard-dashboatdinstall.md, 400-devops__06-Kubernetes__k8s-learning__01.dashboard__dashboatd.install.md] This token can be retrieved and used as a credential for login.

  1. Create ServiceAccount: An account is created within a specific namespace^[400-devops-06-kubernetes-k8s-learning-01dashboard-dashboatdinstall.md, 400-devops__06-Kubernetes__k8s-learning__01.dashboard__dashboatd.install.md].
  2. Identify Secret: The system automatically creates a corresponding secret (e.g., serviceaccount-token-xxxxx), which is visible in the ServiceAccount's YAML configuration^[400-devops-06-kubernetes-k8s-learning-01dashboard-dashboatdinstall.md, 400-devops__06-Kubernetes__k8s-learning__01.dashboard__dashboatd.install.md].
  3. Retrieve Token: The token is extracted from the Secret data. Since it is stored as a Base64 encoded string, it must be decoded before use^[400-devops-06-kubernetes-k8s-learning-01dashboard-dashboatdinstall.md, 400-devops__06-Kubernetes__k8s-learning__01.dashboard__dashboatd.install.md].

Command Line Example

To view and decode the token for a specific ServiceAccount (e.g., cluster-admin-tommy in the kube-system namespace), the following kubectl command chain is used^[400-devops-06-kubernetes-k8s-learning-01dashboard-dashboatdinstall.md, 400-devops__06-Kubernetes__k8s-learning__01.dashboard__dashboatd.install.md]:

[kubectl](<./kubectl.md>) get secret <secret-name> -o jsonpath={.data.token} -n <namespace> | base64 -d

Authorization (RBAC)

While the token provides authentication (identity), access to resources requires authorization via Role-Based Access Control (RBAC).^[400-devops-06-kubernetes-k8s-learning-01dashboard-dashboatdinstall.md, 400-devops__06-Kubernetes__k8s-learning__01.dashboard__dashboatd.install.md]

To grant permissions, the ServiceAccount is bound to a Role (or ClusterRole) using a RoleBinding (or ClusterRoleBinding).^[400-devops-06-kubernetes-k8s-learning-01dashboard-dashboatdinstall.md, 400-devops__06-Kubernetes__k8s-learning__01.dashboard__dashboatd.install.md]

For example, to grant a user administrative access via a ServiceAccount, a binding would associate the ServiceAccount with the built-in cluster-admin ClusterRole^[400-devops-06-kubernetes-k8s-learning-01dashboard-dashboatdinstall.md, 400-devops__06-Kubernetes__k8s-learning__01.dashboard__dashboatd.install.md].

Sources

  • 400-devops-06-kubernetes-k8s-learning-01dashboard-dashboatdinstall.md
  • 400-devops__06-Kubernetes__k8s-learning__01.dashboard__dashboatd.install.md