How to create a client certificate and client key for a Service Account on k8s

12/17/2020

I am experimenting with service accounts and user accounts.

I am able to create CA / Key for user accounts in order to be able to verify the user through the Server-API but I am failing to do the same for Service Accounts.

I have created a kubeconfig file:

apiVersion: v1
clusters:
- cluster:
    certificate-authority: ca.crt
    server: https://ip:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    namespace: namespace-test
    user: test
  name: test-kubernetes
current-context: "test-kubernetes"
kind: Config
preferences: {}
users:
- name: test
  user:
    client-certificate: test.crt
    client-key: test.key

When I am using this kubeconfig file and based on the RBAC rules I can reach the Server-Api:

$ kubectl --kubeconfig /tmp/rbac-test/test.kubeconfig get pods
No resources found in namespace-test namespace.

Sample of file that I create the name space, service account etc.

apiVersion: v1
kind: Namespace
metadata:
  name: namespace-test
---
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    user: test
  name: test
  namespace: namespace-test
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    user: test
  name: role-test
  namespace: namespace-test
rules:
- apiGroups: [""]
  resources: ["*"]
  verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    user: test
  name: rolebinding-test
  namespace: namespace-test
subjects:
  - kind: User
    name: test
roleRef:
  kind: Role
  name: role-test
  apiGroup: rbac.authorization.k8s.io

When I modify the user to service account user I loose control over the namespace:

subjects:
  - kind: ServiceAccount

Then I try to get the pods and I get forbitten:

$ kubectl --kubeconfig /tmp/rbac-test/test.kubeconfig get pods
Error from server (Forbidden): pods is forbidden: User "test" cannot list resource "pods" in API group "" in the namespace "namespace-test"

But when I check if the service account can fetch the pods it is valid:

$ kubectl auth can-i get pods --as system:serviceaccount:namespace-test:test -n namespace-test
yes

Is there any way to retrieve or create CAs for service account users? I want to be able to connect outside the cluster through the Server-Api and at the same time to use a service account and not a normal user.

The reason that I want to use a service account and not a user is to be able to use the Dashboard through different users with token verification.

-- Thanos
kubernetes
service-accounts

0 Answers