K
Q

How to create a client certificate and client key for a Service Account on k8s

12/17/2020

I am experimenting with service accounts and user accounts.

I am able to create CA / Key for user accounts in order to be able to verify the user through the Server-API but I am failing to do the same for Service Accounts.

I have created a kubeconfig file:

apiVersion: v1
clusters:
- cluster:
    certificate-authority: ca.crt
    server: https://ip:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    namespace: namespace-test
    user: test
  name: test-kubernetes
current-context: "test-kubernetes"
kind: Config
preferences: {}
users:
- name: test
  user:
    client-certificate: test.crt
    client-key: test.key

When I am using this kubeconfig file and based on the RBAC rules I can reach the Server-Api:

$ kubectl --kubeconfig /tmp/rbac-test/test.kubeconfig get pods
No resources found in namespace-test namespace.

Sample of file that I create the name space, service account etc.

apiVersion: v1
kind: Namespace
metadata:
  name: namespace-test
---
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    user: test
  name: test
  namespace: namespace-test
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    user: test
  name: role-test
  namespace: namespace-test
rules:
- apiGroups: [""]
  resources: ["*"]
  verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    user: test
  name: rolebinding-test
  namespace: namespace-test
subjects:
  - kind: User
    name: test
roleRef:
  kind: Role
  name: role-test
  apiGroup: rbac.authorization.k8s.io

When I modify the user to service account user I loose control over the namespace:

subjects:
  - kind: ServiceAccount

Then I try to get the pods and I get forbitten:

$ kubectl --kubeconfig /tmp/rbac-test/test.kubeconfig get pods
Error from server (Forbidden): pods is forbidden: User "test" cannot list resource "pods" in API group "" in the namespace "namespace-test"

But when I check if the service account can fetch the pods it is valid:

$ kubectl auth can-i get pods --as system:serviceaccount:namespace-test:test -n namespace-test
yes

Is there any way to retrieve or create CAs for service account users? I want to be able to connect outside the cluster through the Server-Api and at the same time to use a service account and not a normal user.

The reason that I want to use a service account and not a user is to be able to use the Dashboard through different users with token verification.

-- Thanos
kubernetes
service-accounts

Similar Questions

Does the Kubernetes client-go library contain a function for validating json/yaml files?
How to differentiate whether the code is running in an emulator or in GKE when working with GCP's Datastore
How to show hostname or pod infos in kubernetes with an echoserver?
Kubelet periodically lose TCP connection with pods when doing liveness/readiness probe check on GKE
Deploy GitLab with Helm on Kubernetes

0 Answers