Managing Service Accounts

    A process inside a Pod can use the identity of its associated service account to authenticate to the cluster’s API server.

    For an introduction to service accounts, read configure service accounts.

    This task guide explains some of the concepts behind ServiceAccounts. The guide also explains how to obtain or revoke tokens that represent ServiceAccounts.

    You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:

    To be able to follow these steps exactly, ensure you have a namespace named . If you don’t, create one by running:

    User accounts versus service accounts

    Kubernetes distinguishes between the concept of a user account and a service account for a number of reasons:

    • User accounts are for humans. Service accounts are for application processes, which (for Kubernetes) run in containers that are part of pods.
    • User accounts are intended to be global: names must be unique across all namespaces of a cluster. No matter what namespace you look at, a particular username that represents a user represents the same user. In Kubernetes, service accounts are namespaced: two different namespaces can contain ServiceAccounts that have identical names.
    • Typically, a cluster’s user accounts might be synchronised from a corporate database, where new user account creation requires special privileges and is tied to complex business processes. By contrast, service account creation is intended to be more lightweight, allowing cluster users to create service accounts for specific tasks on demand. Separating ServiceAccount creation from the steps to onboard human users makes it easier for workloads to following the principle of least privilege.
    • Auditing considerations for humans and service accounts may differ; the separation makes that easier to achieve.
    • A configuration bundle for a complex system may include definition of various service accounts for components of that system. Because service accounts can be created without many constraints and have namespaced names, such configuration is usually portable.

    Bound service account token volume mechanism

    FEATURE STATE: Kubernetes v1.22 [stable]

    By default, the Kubernetes control plane (specifically, the ) adds a projected volume to Pods, and this volume includes a token for Kubernetes API access.

    Here’s an example of how that looks for a launched Pod:

    1. ...
    2. - name: kube-api-access-<random-suffix>
    3. projected:
    4. sources:
    5. - serviceAccountToken:
    6. path: token # must match the path the app expects
    7. - configMap:
    8. items:
    9. - key: ca.crt
    10. path: ca.crt
    11. name: kube-root-ca.crt
    12. - downwardAPI:
    13. items:
    14. - fieldRef:
    15. apiVersion: v1
    16. fieldPath: metadata.namespace

    That manifest snippet defines a projected volume that consists of three sources. In this case, each source also represents a single path within that volume. The three sources are:

    1. A serviceAccountToken source, that contains a token that the kubelet acquires from kube-apiserver. The kubelet fetches time-bound tokens using the TokenRequest API. A token served for a TokenRequest expires either when the pod is deleted or after a defined lifespan (by default, that is 1 hour). The token is bound to the specific Pod and has the kube-apiserver as its audience. This mechanism superseded an earlier mechanism that added a volume based on a Secret, where the Secret represented the ServiceAccount for the Pod, but did not expire.
    2. A configMap source. The ConfigMap contains a bundle of certificate authority data. Pods can use these certificates to make sure that they are connecting to your cluster’s kube-apiserver (and not to middlebox or an accidentally misconfigured peer).
    3. A downwardAPI source that looks up the name of the namespace containing the Pod, and makes that name information available to application code running inside the Pod.

    Any container within the Pod that mounts this particular volume can access the above information.

    Note: There is no specific mechanism to invalidate a token issued via TokenRequest. If you no longer trust a bound service account token for a Pod, you can delete that Pod. Deleting a Pod expires its bound service account tokens.

    Versions of Kubernetes before v1.22 automatically created credentials for accessing the Kubernetes API. This older mechanism was based on creating token Secrets that could then be mounted into running Pods.

    You can still manually create a Secret to hold a service account token; for example, if you need a token that never expires.

    Once you manually create a Secret and link it to a ServiceAccount, the Kubernetes control plane automatically populates the token into that Secret.

    Note: Although the manual mechanism for creating a long-lived ServiceAccount token exists, using to obtain short-lived API access tokens is recommended instead.

    Control plane details

    A ServiceAccount controller manages the ServiceAccounts inside namespaces, and ensures a ServiceAccount named “default” exists in every active namespace.

    The service account token controller runs as part of kube-controller-manager. This controller acts asynchronously. It:

    • watches for ServiceAccount deletion and deletes all corresponding ServiceAccount token Secrets.
    • watches for ServiceAccount token Secret addition, and ensures the referenced ServiceAccount exists, and adds a token to the Secret if needed.
    • watches for Secret deletion and removes a reference from the corresponding ServiceAccount if needed.

    You must pass a service account private key file to the token controller in the kube-controller-manager using the --service-account-private-key-file flag. The private key is used to sign generated service account tokens. Similarly, you must pass the corresponding public key to the kube-apiserver using the --service-account-key-file flag. The public key will be used to verify the tokens during authentication.

    The modification of pods is implemented via a plugin called an Admission Controller. It is part of the API server. This admission controller acts synchronously to modify pods as they are created. When this plugin is active (and it is by default on most distributions), then it does the following when a Pod is created:

    1. If the pod does not have a .spec.serviceAccountName set, the admission controller sets the name of the ServiceAccount for this incoming Pod to default.
    2. The admission controller ensures that the ServiceAccount referenced by the incoming Pod exists. If there is no ServiceAccount with a matching name, the admission controller rejects the incoming Pod. That check applies even for the default ServiceAccount.
    3. Provided that neither the ServiceAccount’s automountServiceAccountToken field nor the Pod’s automountServiceAccountToken field is set to false:
      • the admission controller mutates the incoming Pod, adding an extra that contains a token for API access.
      • the admission controller adds a volumeMount to each container in the Pod, skipping any containers that already have a volume mount defined for the path /var/run/secrets/kubernetes.io/serviceaccount. For Linux containers, that volume is mounted at ; on Windows nodes, the mount is at the equivalent path.
    4. If the spec of the incoming Pod doesn’t already contain any imagePullSecrets, then the admission controller adds imagePullSecrets, copying them from the ServiceAccount.

    FEATURE STATE: Kubernetes v1.22 [stable]

    You use the subresource of a ServiceAccount to obtain a time-bound token for that ServiceAccount. You don’t need to call this to obtain an API token for use within a container, since the kubelet sets this up for you using a projected volume.

    If you want to use the TokenRequest API from kubectl, see Manually create an API token for a ServiceAccount.

    The Kubernetes control plane (specifically, the ServiceAccount admission controller) adds a projected volume to Pods, and the kubelet ensures that this volume contains a token that lets containers authenticate as the right ServiceAccount.

    (This mechanism superseded an earlier mechanism that added a volume based on a Secret, where the Secret represented the ServiceAccount for the Pod but did not expire.)

    Here’s an example of how that looks for a launched Pod:

    1. ...
    2. - name: kube-api-access-<random-suffix>
    3. projected:
    4. defaultMode: 420 # decimal equivalent of octal 0644
    5. sources:
    6. - serviceAccountToken:
    7. expirationSeconds: 3607
    8. path: token
    9. - configMap:
    10. items:
    11. - key: ca.crt
    12. path: ca.crt
    13. name: kube-root-ca.crt
    14. - downwardAPI:
    15. items:
    16. - fieldRef:
    17. apiVersion: v1
    18. fieldPath: metadata.namespace
    19. path: namespace
    1. A serviceAccountToken source, that contains a token that the kubelet acquires from kube-apiserver. The kubelet fetches time-bound tokens using the TokenRequest API. A token served for a TokenRequest expires either when the pod is deleted or after a defined lifespan (by default, that is 1 hour). The token is bound to the specific Pod and has the kube-apiserver as its audience.
    2. A configMap source. The ConfigMap contains a bundle of certificate authority data. Pods can use these certificates to make sure that they are connecting to your cluster’s kube-apiserver (and not to middlebox or an accidentally misconfigured peer).
    3. A downwardAPI source. This downwardAPI volume makes the name of the namespace containing the Pod available to application code running inside the Pod.

    Any container within the Pod that mounts this volume can access the above information.

    Create additional API tokens

    Caution: Only create long-lived API tokens if the token request mechanism is not suitable. The token request mechanism provides time-limited tokens; because these expire, they represent a lower risk to information security.

    To create a non-expiring, persisted API token for a ServiceAccount, create a Secret of type kubernetes.io/service-account-token with an annotation referencing the ServiceAccount. The control plane then generates a long-lived token and updates that Secret with that generated token data.

    Here is a sample manifest for such a Secret:

    1. apiVersion: v1
    2. kind: Secret
    3. metadata:
    4. name: mysecretname
    5. kubernetes.io/service-account.name: myserviceaccount

    To create a Secret based on this example, run:

    To see the details for that Secret, run:

    1. kubectl -n examplens describe secret mysecretname

    The output is similar to:

    1. Name: mysecretname
    2. Namespace: examplens
    3. Labels: <none>
    4. Annotations: kubernetes.io/service-account.name=myserviceaccount
    5. kubernetes.io/service-account.uid=8a85c4c4-8483-11e9-bc42-526af7764f64
    6. Type: kubernetes.io/service-account-token
    7. Data
    8. ====
    9. ca.crt: 1362 bytes
    10. namespace: 9 bytes
    11. token: ...

    If you launch a new Pod into the examplens namespace, it can use the myserviceaccount service-account-token Secret that you just created.

    If you know the name of the Secret that contains the token you want to remove:

    1. kubectl delete secret name-of-secret

    Otherwise, first find the Secret for the ServiceAccount.

    The output is similar to:

    1. apiVersion: v1
    2. kind: ServiceAccount
    3. metadata:
    4. annotations:
    5. kubectl.kubernetes.io/last-applied-configuration: |
    6. {"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"name":"example-automated-thing","namespace":"examplens"}}
    7. creationTimestamp: "2019-07-21T07:07:07Z"
    8. name: example-automated-thing
    9. namespace: examplens
    10. resourceVersion: "777"
    11. selfLink: /api/v1/namespaces/examplens/serviceaccounts/example-automated-thing
    12. uid: f23fd170-66f2-4697-b049-e1e266b7f835
    13. secrets:
    14. - name: example-automated-thing-token-zyxwv

    Then, delete the Secret you now know the name of:

    1. kubectl -n examplens delete secret/example-automated-thing-token-zyxwv
    1. kubectl -n examplens get serviceaccount/example-automated-thing -o yaml

    Clean up

    If you created a namespace to experiment with, you can remove it:

    1. kubectl delete namespace examplens

    What’s next