Kubernetes / Security / Technology

Kubernetes Access Control: Exploring Service Accounts

16 Aug 2019 3:00am, by

This is the last part of a tutorial series on  Kubernetes access control. Having explored the key concepts related to authentication and authorization, we will take a closer look at service accounts.

Kubernetes has the notion of users and service account to access resources. A user is associated with a key and certificate to authenticate API requests. Any request originated outside of the cluster is authenticated using one of the configured schemes. The most common technique to authenticate requests is through X.509 certificates. Refer to the tutorial on Kubernetes authentication on creating and associating certificates with users.

It’s important to recall that Kubernetes doesn’t maintain a database or profiles of users and passwords. Instead, it expects it to be managed outside of the cluster. Through the concept of authentication modules, Kubernetes can delegate authentication to a 3rd party like OpenID or Active Directory.

While X.509 certificates are used for authenticating external requests, service accounts are meant to authenticate processes running within the cluster. Service accounts are associated with pods that make internal calls to the API server.

Every Kubernetes installation has a service account called default that is associated with every running pod. Similarly, to enable pods to make calls to the internal API Server endpoint, there is a ClusterIP service called Kubernetes. This combination makes it possible for internal processes to call the API endpoint.

Notice that the service account is pointing to a secret that is mounted inside every pod. This secret contains the token expected by the API Server.

Things get clear when we actually schedule a pod and access it. We will launch a pod that is based on BusyBox with curl command.

While we are within the BusyBox shell, let’s try to hit the API Server endpoint.

This will not yield any result since the request lacks the authentication token. Let’s find out how to retrieve the token that can be embedded in the HTTP header.

As discussed earlier, the token is mounted as a secret within the pod. Navigate to /var/run/secrets/kubernetes.io/serviceaccount to find the token.

Let’s set a few environment variables to simplify the curl command.

The below curl command requests the list of services running in the default namespace. Let’s see if we get a response from the API Server.

Surprisingly, the default service account doesn’t have enough permissions to retrieve the services running in the same namespace.

Remember that Kubernetes follows the convention of closed-to-open which means that by default no user or service account has any permissions.

In order to fulfill this request, we need to create a role binding associating the default service account with an appropriate role. This workflow is similar to how we bound a role to Bob that gave him permission to list pods.

Exit the pod and run the below command to create a role binding for the default service account.

The above command associated the default service account with the cluster role view that enables the pod to list the resources.

If you are curious to see all the available cluster roles, run the command, kubectl get clusterroles.

Let’s launch the BusyBox pod again and hit the API Server.

Feel free to create additional bindings for the default service account to check how RBAC extends to pods.

This concludes the series on Kubernetes access control where we discussed the essential building blocks of authentication, authorization, and service accounts.

Janakiram MSV’s Webinar series, “Machine Intelligence and Modern Infrastructure (MI2)” offers informative and insightful sessions covering cutting-edge technologies. Sign up for the upcoming MI2 webinar at http://mi2.live.

A newsletter digest of the week’s most important stories & analyses.