k8s service accounts

k8s_sa.md

1. Create service account for user Alice

kubectl create sa alice

2. Get related secret

secret=$(kubectl get sa alice -o json | jq -r .secrets[].name)

3. Get ca.crt from secret (using OSX base64 with -D flag for decode)

kubectl get secret $secret -o json | jq -r '.data["ca.crt"]' | base64 -D > ca.crt

4. Get service account token from secret

user_token=$(kubectl get secret $secret -o json | jq -r '.data["token"]' | base64 -D)

5. Get information from your kubectl config (current-context, server..)

# get current context
c=`kubectl config current-context`

# get cluster name of context
name=`kubectl config get-contexts $c | awk '{print $3}' | tail -n 1`

# get endpoint of current context 
endpoint=`kubectl config view -o jsonpath="{.clusters[?(@.name == \"$name\")].cluster.server}"`
On a fresh machine, follow these steps (given the ca.cert and $endpoint information retrieved above:

Pre-req for following steps:

    - Kubectl

7. Set cluster (run in directory where ca.crt is stored)

kubectl config set-cluster cluster-staging \
  --embed-certs=true \
  --server=$endpoint \
  --certificate-authority=./ca.crt

8. Set user credentials

kubectl config set-credentials alice-staging --token=$user_token

9. Define the combination of alice user with the staging cluster

kubectl config set-context alice-staging \
  --cluster=cluster-staging \
  --user=alice-staging \
  --namespace=alice

10. Switch current-context to alice-staging for the user

kubectl config use-context alice-staging

11. To control user access with policies (using ABAC), you need to create a policy file (for example):

{
  "apiVersion": "abac.authorization.kubernetes.io/v1beta1",
  "kind": "Policy",
  "spec": {
    "user": "system:serviceaccount:default:alice",
    "namespace": "default",
    "resource": "*",
    "readonly": true
  }
}

12. Provision this policy.json on every master node and add --authorization-mode=ABAC --authorization-policy-file=/path/to/policy.json flags to API servers