Skip to content

Service account related stuff on kubernetes

Accessing the kubernetes api from a pod is done on the internal kubernetes service:

https://kubernetes.default.svc

Token

Get it via kubectl

kubectl -n <namespace> get secret $TOKENNAME -o jsonpath='{.data.token}'| base64 --decode <!-- markdownlint-disable-line line-length -->

CaCert

Get it via kubectl

kubectl -n <namespace> get secret $TOKENNAME -o jsonpath='{.data.ca\.crt}'

NOTE: service accounts are restricted to a specific namespace.
Any information of role-bindings you perform are also only scoped
to that service account with that namespace

Role-binding

find standard role bindings here: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: read-pods
  namespace: kube-system
subjects:
  - kind: ServiceAccount
    name: default
    namespace: default
roleRef:
  kind: ClusterRole
  name: edit
  apiGroup: rbac.authorization.k8s.io