For the authentification and authorization, Kubernetes has such notions as User Accounts and Service Accounts.
User Accounts – common user profiles used to access a cluster from the outside, while Service Accounts are used to grant access from inside of the cluster.
ServiceAccounts are intended to provide an identity for a Kubernetes Pod to be used by its container to authenticate and authorize them when performing API-requests to the Kubernetes API-server.
Contents
Default ServiceAccount
Every Kubernetes Namespace has its own default ServiceAccount (SA) which is created when creating a namespace.
Let’s check the default namespace:
kubectl --namespace default get serviceaccount
NAME SECRETS AGE
default 1 176d
For each ServiceAccount a token is generated and stored as a Kubernetes Secret.
Check the default SA:
kubectl --namespace default get serviceaccount default -o yaml
At first, its type is the kubernetes.io/service-account-token.
Another interesting part here is the data which keeps two records – ca.cert и token.
If a token is not from the default namespace – there will be a third field specifying a namespace to which this token belongs.
Theca.cert is signed by the cluster’s master key so the cluster is playing the Certificate Authority role, and allows a pod or an application to verify the API-server.
And now, let’s go to investigate the tokenpart.
JWT token
To make it easier to work from the terminal – save the data.token value to a variable:
token="ZXl...TWc="
Use the base64 get its content:
echo $token | base64 -d
eyJ[...]iJ9.eyJ[...]ifQ.g5I[...]3Mg
Here I’ve removed some data with the […], but we can see that the value is divided into three parts with dots:
the header – describes how the token was signed
the payload – actual data of the token, such as expiration date, who issued it, etc see the RFC-7519
the signature – is used to verify that the token wasn’t modified and can be used to validate the sender
here in the sub filed we can see the ServiceAccount name, i.e. – who is presenting this token to the Kubernetes API-server so the server will know from who this token came.
Okay, but what about a password? In the sub there is a “login” – but where is his “password”?
And here is the third part is playing – the signature.
JWT token and authentification
I wasn’t able to see these details in any from the googled materials, see the Useful links section of this post, although as for me – this is the most interesting part of the scheme.
Let’s go back to the first section of the token – the header, which in our case has the RS256 algorithm type defined i.e. RSA (Rivest-Shamir-Adleman) – the asymmetric algorithm with private and public keys and uses SHA-256 algorithm for the signature.
Invalid Signature – as we not provided the private and public keys to verify the token.
Because the masters’ private key on AWS Elastic Kubernetes Service is stored on the ConrolPlane nodes and we can’t access them – let’s use minikube for the testing.
Run a local cluster:
minikube start
In its default namespace we can see already existing token:
Signature Verified – yup, it works! The authenticity of the bearer of the token is verified.
So, going back to the ServiceAccounts:
for a ServiceAccount a token is created which keep the SA name
the token is signed by the master key of the Kubernetes cluster
a pod make a request to the API server using this token to authenticate him
the API server validates the token by using its public key and verify that the token wasn’t modified and is relly issued by this Kubernetes clutserм
Now, let’s go to see in practice how this is working and how Kubernetes RBAC is used here.
ServiceAccounts, and RBAC
For each Pod that has no ServiceAccount specified the default ServiceAccount is attached and its default token is mounted.
Go back to our EKS cluster and run a Pod:
kubectl run -i --tty --rm ca-test-pod --image=radial/busyboxplus:curl
kubectl run --generator=deployment/apps.v1 is DEPRECATED and will be removed in a future version. Use kubectl run --generator=run-pod/v1 or kubectl create instead.
If you don't see a command prompt, try pressing enter.
[ root@ca-test-pod-5c96c78d7f-wqlsq:/ ]$
Check itvolumeMounts, serviceAccount, and volumes:
kubectl get pod ca-test-pod-5c96c78d7f-wqlsq -o yaml
Inside of the pod check the /var/run/secrets/kubernetes.io/serviceaccount directory content:
[ root@ca-test-pod-5c96c78d7f-wqlsq:/ ]$ ls -1 /var/run/secrets/kubernetes.io/serviceaccount
ca.crt
namespace
token
And recall the content of the data section of the default-token-292g9 Secret:
kubectl get secret default-token-292g9 -o yaml
apiVersion: v1
data:
ca.crt: LS0t[...]
namespace: ZGVmYXVsdA==
token: ZXlKaGJ
...
Try to perform a request to the API-server without authentification – use the special Service kubernetes, add the -k or --insecure to the curl to skip server’s certificate validation
And run curl again – let’s try to get a list of the pods in our namespace, this time without --insecure and with authorization by using the Authorization header:
"message": "pods is forbidden: User \"system:serviceaccount:default:default\" cannot list resource \"pods\" in API group \"\" in the namespace \"default\"",
"reason": "Forbidden",
"details": {
"kind": "pods"
},
"code": 403
}
At this time, we are able to see our user – the User "system:serviceaccount:default:default", but it has no permissions to perform requests as by default all users and ServiceAccounts have no privileges (the principle of the least privileges, POLP).
RoleBindig for ServiceAccount
To give our SericeAccount permissions we need to create a RoleBinding or ClusterRoleBinding as for normal users.
Create a RoleBinding mapping to the default ClusterRole view, see User-facing roles:
Remember, that having access to Secrets and ServiceAccounts any pod can have any token attached and thus can be able to perform actions allowed by such a token.
For example, by using the ServiceAccount of the ExternalDNS – such a pod can make a mess in our AWS Route53.
That’s why it is important to divide access to resources by using RBAC rules and roles for users, for example by allowing access to resources from only one namespace.