Question on Service Account - I have created a service account and used it in a . . .

kodekloud · May 27, 2021, 1:17pm

Tanumoy Ghosh:
Question on Service Account - I have created a service account and used it in a pod yaml, how can I verify whether the pod is applied with that service account ?

kodekloud · May 27, 2021, 1:17pm

Fernando Jimenez:
Take a look at the pod’s description. There would be a token issued with the serviceaccount name.

kodekloud · May 27, 2021, 1:17pm

Tanumoy Ghosh:
I did not get you exactly, this is what I could see:

$ kubectl get po nginx -o yaml | grep serviceAccountName:
  serviceAccountName: myuser

$ kubectl describe po nginx | grep -i "token\|serviceaccount"
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-mnnmh (ro)
    TokenExpirationSeconds:  3607

$ kubectl get sa myuser -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: "2021-05-19T19:40:36Z"
  name: myuser
  namespace: default
  resourceVersion: "45650"
  uid: af48e4e8-0eb3-46e5-81b3-85322586e928
secrets:
- name: myuser-token-n4bvc

How can I relate ?

kodekloud · May 27, 2021, 1:17pm

Rahul B:
Try this

k describe po <name> | grep -i serviceaccount A2

kodekloud · May 27, 2021, 1:17pm

Tanumoy Ghosh:
Let me clarify a bit more:

I am adding serviceaccount to the pod yaml as: (not used serviceAccount: myuser)
serviceAccountName: myuser

Describe po says:

$ kubectl describe po nginx
Name:         nginx
Namespace:    default
Priority:     0
Node:         kubenode02/192.168.56.4
Start Time:   Wed, 26 May 2021 19:08:48 +0000
Labels:       run=nginx
Annotations:  &lt;none&gt;
Status:       Running
IP:           10.44.0.1
IPs:
  IP:  10.44.0.1
Containers:
  nginx:
    Container ID:   <docker://0450fe71ca874f50c9ba6ee3be81df64247887dc3107d4b1b4b0b1d19e62535>4
    Image:          nginx
    Image ID:       <docker-pullable://nginx@sha256:09>ef025c198b8ae64d9bb08e00e072180d06c2ace866ebff749d1141b34ef420
    Port:           &lt;none&gt;
    Host Port:      &lt;none&gt;
    State:          Running
      Started:      Wed, 26 May 2021 19:08:55 +0000
    Ready:          True
    Restart Count:  0
    Environment:    &lt;none&gt;
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-mcgwv (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             True
  ContainersReady   True
  PodScheduled      True
Volumes:
  kube-api-access-mcgwv:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       &lt;nil&gt;
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              &lt;none&gt;
Tolerations:                 <http://node.kubernetes.io/not-ready:NoExecute|node.kubernetes.io/not-ready:NoExecute> op=Exists for 300s
                             <http://node.kubernetes.io/unreachable:NoExecute|node.kubernetes.io/unreachable:NoExecute> op=Exists for 300s
Events:
  Type    Reason     Age   From               Message
  ----    ------     ----  ----               -------
  Normal  Scheduled  61s   default-scheduler  Successfully assigned default/nginx to kubenode02
  Normal  Pulling    45s   kubelet            Pulling image "nginx"
  Normal  Pulled     40s   kubelet            Successfully pulled image "nginx" in 4.897529051s
  Normal  Created    40s   kubelet            Created container nginx
  Normal  Started    39s   kubelet            Started container nginx

kodekloud · May 27, 2021, 1:17pm

Tanumoy Ghosh:
It might be machine-dependent thing:

When I tried implementing serviceAccount in Katacoda, it’s clearly justifying:

Describe po says:

Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from namaste-token-c8hq5 (ro)

Describe sa gives same token:

Mountable secrets:   namaste-token-c8hq5
Tokens:              namaste-token-c8hq5