Hello, readers! In this article, we will be focusing on Service Accounts in Kubernetes with a detailed explanation.
So, let begin!! 🙂
What is a Kubernetes Service Account?
Before diving deep into the concept of Service Account, let us understand the reason for its emergence.
Authentication is an important concept of discussion and understanding when it comes to any software or infrastructure. With Kubernetes, when we (user/human) try to connect the cluster through kubectl, the APIServer actually authenticates us against a specific user account. Example: email@example.com. By default, the account used is admin.
But apart from users like us, at times the processes within the container may need to contact the APIServer for authentication. For example, if we wish to build an Azure pipeline to push the image to a GCR (container registry).In such scenarios, we would be needing a Service account to authenticate the process(pipeline) that would be running from within the container.
So, a Service account provides and serves as an identity for the processes that run inside a container, encapsulated within a pod. By default, Kubernetes provides us with a default service account that is associated with a particular namespace created within the cluster.
Having understood about Service accounts, let us now create a customized (user-defined) service account in a declarative manner.
Creating a Kubernetes Service account
By default, we have a default service account associated with every namespace–
kubectl get serviceaccounts -n demo
NAME SECRETS AGE default 1 1d
Have a look at the below YAML–
Here, we have made use of the declarative way to create a Kubernetes Service account. The name of the service account is pipeline-demo.
apiVersion: v1 kind: ServiceAccount metadata: name: pipeline-demo
We can associate this service account to any namespace using the below command-
kubectl apply -f Service_acc.yaml -n demo-ns
Configuring service account for pods
Once we create a service account, it is important to associate it with the particular pod/deployment to be in use for authentication. Usually, the default service account gets configured automatically for pods. To have a customized service account configured with the pod/container, we need to pass the account name in the pod definition YAML.
Have a look at the below YAML file–
apiVersion: v1 kind: Pod metadata: name: nginx spec: containers: - image: nginx name: nginx serviceAccountName: pipeline-demo
In the above example, we have created a pod nginx with the image nginx and have associated the service account pipeline-demo to it. By this, the pod would perform all the authentication (through containers) in the Kubernetes environment using the specified service account.
By this, we have come to the end of this topic. Feel free to comment below, in case you come across any questions.
For more such posts related to Kubernetes, Stay tuned with us.
Till then, Happy Learning!! 🙂