ServiceAccount
Definition
A ServiceAccount is a special type of account used in Kubernetes to provide an identity for processes that run in a Pod. It allows these processes to authenticate to the Kubernetes API and access resources according to the permissions granted to the ServiceAccount. ServiceAccounts are crucial for managing access control and ensuring that applications have the least privilege necessary to function.
Secure Settings Example
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-secure-serviceaccount
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
- kind: ServiceAccount
name: my-secure-serviceaccount
namespace: default
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
Insecure Settings Example
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-insecure-serviceaccount
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-admin-binding
subjects:
- kind: ServiceAccount
name: my-insecure-serviceaccount
namespace: default
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io