CKS Exam Series #7 ServiceAccount Tokens
Kubernetes CKS Example Exam Question Series

#####################################
THIS CHALLENGE WON’T BE UPDATED HERE AND MOVED TO:
https://killercoda.com/killer-shell-cks
######################################
Content
- Create Cluster & Security Best Practices
- Pods, Secrets and ServiceAccounts
- Immutable Pods
- Crash that Apiserver & check logs
- ImagePolicyWebhook / AdmissionController
- Users and CertificateSigningRequests
- ServiceAccount Token Mounting
- Role Based Access Control (RBAC)
- Role Based Access Control (RBAC) v2
- Container Hardening
- NetworkPolicies (Default Deny + Allowlist)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
→ Check out the FULL CKS COURSE on Udemy ←
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rules!
- Be fast, avoid creating yaml manually from scratch
- Use only kubernetes.io/docs for help.
- Check our solution after you did yours. You probably have a better one!
Todays Task: Control ServiceAccount Token Mounting in Pods
- Create a new ServiceAccount (SA)
special
- Create a Pod
pod1
imagenginx
which uses thedefault
SA - Create Deployment
deploy1
imagenginx
with two replicas using SAspecial
- Pod
pod1
should not mount the SA token, verify it - No Pods at all should mount the token of SA
special
, verify it
.
.
.
.
.
Solution
alias k=kubectl
1. Create SA
k create sa special
2. Create Pod
k run pod1 --image=nginx -oyaml --dry-run=client > pod1.yamlk -f pod1.yaml create
3. Create Deployment
k create deploy deploy1 --image=nginx -oyaml --dry-run=client > deploy1.yamlvim deploy1.yaml
Edit to:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: deploy1
name: deploy1
spec:
replicas: 2
selector:
matchLabels:
app: deploy1
template:
metadata:
labels:
app: deploy1
spec:
serviceAccountName: special
containers:
- image: nginx
name: nginx
4. Pod no mount
Edit the Pod to:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: pod1
name: pod1
spec:
automountServiceAccountToken: false
containers:
- image: nginx
name: pod1
And verify:
k exec pod1 -- mount | grep serviceaccount
5. SA no mount
Edit the SA to:
apiVersion: v1
kind: ServiceAccount
metadata:
name: special
namespace: default
automountServiceAccountToken: false
Verify:
k rollout restart deploy deploy1k exec deploy1-775d6566dc-bq757 -- mount | grep serviceaccountk exec deploy1-775d6566dc-qwthl -- mount | grep serviceaccount
What happens if SA says false to token mount and Pod says true? Then the token will be mounted. Setting this in the SA is just the default behaviour.
.
.
.
.
.
What is the ServiceAccount token?
Every SA has a token which can be used to identify against the K8s Api. And if there are permission (RBAC) then that token can be used to perform actions.
Mounting the SA token in a Pod is most often not necessary, because Pods usually don’t need to communicate with the Api if they’re just running an application. But there are valid use cases for which mounting should be enabled.
If you mount the token in a Pod then you need to make sure it only has the least permissions necessary.
You have a different solution?
Let us know by leaving a comment below!
— — — The END — — —
So much for this session. See you at the next one and happy learning!
Ready to join Killer Shell?
FULL CKS COURSE

…or the CKS SIMULATOR
