By default a MetaKube cluster only comes with one admin token pre-configured to use. This admin token is included in the kubeconfig that you can download in the dashboard.
This tutorial shows, how you can create ServiceAccounts with more limited access that you can use for a personalized access to the cluster. This is especially useful for technical accounts like your CI system.
This tutorial requires a MetaKube cluster and access to it via kubectl
.
Having admin rights, first create a personalized ServiceAccount for a user that should have limited access
$ kubectl create serviceaccount john-doe
serviceaccount/john-doe created
After that you can retrieve an API token by first fetching the name of the secret where the ServiceAccount token is stored
$ kubectl get serviceaccounts john-doe -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: "2019-02-25T14:59:26Z"
name: john-doe
namespace: default
resourceVersion: "3342411"
selfLink: /api/v1/namespaces/default/serviceaccounts/metakube
uid: f20cfa03-390d-11e9-9906-0a580af40ae2
secrets:
- name: john-doe-token-n9w5x
Then retrieving this secret:
$ kubectl get secrets john-doe-token-n9w5x -o yaml
apiVersion: v1
data:
ca.crt: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
namespace: XXXXX==
token: bWFuYWdlZDprdWJlcm5ldGVzPW1ldGFrdWJl
kind: Secret
metadata:
annotations:
kubernetes.io/service-account.name: john-doe
kubernetes.io/service-account.uid: f20cfa03-390d-11e9-9906-0a580af40ae2
creationTimestamp: "2019-02-25T14:59:27Z"
name: john-doe-token-n9w5x
namespace: default
resourceVersion: "3342410"
selfLink: /api/v1/namespaces/default/secrets/john-doe-token-n9w5x
uid: f21405c0-390d-11e9-9024-0a580af4096f
type: kubernetes.io/service-account-token
And base64 decoding the token inside it:
$ echo "bWFuYWdlZDprdWJlcm5ldGVzPW1ldGFrdWJl" | base64 --decode
managed:kubernetes=john-doe
After that you can create a new kubeconfig based on the admin one you download by changing the user name and token in it. See also Download the kubeconfig. You can now use this kubeconfig to access the cluster with the user "john-doe".
By default a ServiceAccount has no permissions inside of the cluster if it is not bound to any Roles or ClusterRoles. In this example the account is bound to the pre-defined ClusterRole view
:
$ kubectl create clusterrolebinding john-doe --clusterrole=view --serviceaccount=default:john-doe
clusterrolebinding.rbac.authorization.k8s.io/john-doe created
You can check the permissions of a role with:
$ kubectl get clusterrole view -o yaml
...
For more information see Using RBAC Authorization.
When you use the newly created kubeconfig with the new ServiceAccount user and token, you won't be allowed to access any nodes:
$ kubectl get nodes
Error from server (Forbidden): nodes is forbidden: User "system:serviceaccount:default:john-doe" cannot list resource "nodes" in API group "" at the cluster scope
You are allowed to access pods:
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
ghost-5b496bfd64-v24ng 1/1 Running 0 161m
ghost-mariadb-0 1/1 Running 0 10d
webapp-5f45f4fb96-jdxvp 1/1 Running 0 10d
wordpress-mariadb-0 1/1 Running 0 10d
wordpress-wordpress-5b8c898c86-xkwzr 1/1 Running 0 161m
But you are not allowed to delete a pod:
$ kubectl delete pods ghost-5b496bfd64-v24ng
Error from server (Forbidden): pods "ghost-5b496bfd64-v24ng" is forbidden: User "system:serviceaccount:default:john-doe" cannot delete resource "pods" in API group "" in the namespace "default