ITNEXT

ITNEXT is a platform for IT developers & software engineers to share knowledge, connect…

Follow publication

CKS Exam Series #7 ServiceAccount Tokens

Kim Wuestkamp
ITNEXT
Published in
3 min readJan 31, 2021

CKS Exam Series | CKA Exam Series | CKAD Exam Series

#####################################

THIS CHALLENGE WON’T BE UPDATED HERE AND MOVED TO:

https://killercoda.com/killer-shell-cks

######################################

Content

  1. Create Cluster & Security Best Practices
  2. Pods, Secrets and ServiceAccounts
  3. Immutable Pods
  4. Crash that Apiserver & check logs
  5. ImagePolicyWebhook / AdmissionController
  6. Users and CertificateSigningRequests
  7. ServiceAccount Token Mounting
  8. Role Based Access Control (RBAC)
  9. Role Based Access Control (RBAC) v2
  10. Container Hardening
  11. NetworkPolicies (Default Deny + Allowlist)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

→ Check out the FULL CKS COURSE on Udemy ←

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Rules!

  1. Be fast, avoid creating yaml manually from scratch
  2. Use only kubernetes.io/docs for help.
  3. Check our solution after you did yours. You probably have a better one!

Todays Task: Control ServiceAccount Token Mounting in Pods

  1. Create a new ServiceAccount (SA)special
  2. Create a Pod pod1 image nginx which uses the default SA
  3. Create Deployment deploy1 image nginx with two replicas using SA special
  4. Pod pod1 should not mount the SA token, verify it
  5. No Pods at all should mount the token of SA special, verify it

.

.

.

.

.

Solution

alias k=kubectl

1. Create SA

k create sa special

2. Create Pod

k run pod1 --image=nginx -oyaml --dry-run=client > pod1.yamlk -f pod1.yaml create

3. Create Deployment

k create deploy deploy1 --image=nginx -oyaml --dry-run=client > deploy1.yamlvim deploy1.yaml

Edit to:

apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: deploy1
name: deploy1
spec:
replicas: 2
selector:
matchLabels:
app: deploy1
template:
metadata:
labels:
app: deploy1
spec:
serviceAccountName: special
containers:
- image: nginx
name: nginx

4. Pod no mount

Edit the Pod to:

apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: pod1
name: pod1
spec:
automountServiceAccountToken: false
containers:
- image: nginx
name: pod1

And verify:

k exec pod1 -- mount | grep serviceaccount

5. SA no mount

Edit the SA to:

apiVersion: v1
kind: ServiceAccount
metadata:
name: special
namespace: default
automountServiceAccountToken: false

Verify:

k rollout restart deploy deploy1k exec deploy1-775d6566dc-bq757 -- mount | grep serviceaccountk exec deploy1-775d6566dc-qwthl -- mount | grep serviceaccount

What happens if SA says false to token mount and Pod says true? Then the token will be mounted. Setting this in the SA is just the default behaviour.

.

.

.

.

.

What is the ServiceAccount token?

Every SA has a token which can be used to identify against the K8s Api. And if there are permission (RBAC) then that token can be used to perform actions.

Mounting the SA token in a Pod is most often not necessary, because Pods usually don’t need to communicate with the Api if they’re just running an application. But there are valid use cases for which mounting should be enabled.

If you mount the token in a Pod then you need to make sure it only has the least permissions necessary.

You have a different solution?

Let us know by leaving a comment below!

— — — The END — — —

So much for this session. See you at the next one and happy learning!

Ready to join Killer Shell?

FULL CKS COURSE

LINK

…or the CKS SIMULATOR

https://killer.sh/cks

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Published in ITNEXT

ITNEXT is a platform for IT developers & software engineers to share knowledge, connect, collaborate, learn and experience next-gen technologies.

Written by Kim Wuestkamp

killercoda.com | killer.sh (CKS CKA CKAD Simulator) | Software Engineer, Infrastructure Architect, Certified Kubernetes

Responses (1)

Write a response