From 8a3d7acf03a9daf98cda2e7eacb131e14bf7c647 Mon Sep 17 00:00:00 2001 From: Shihang Zhang Date: Tue, 20 Apr 2021 11:46:17 -0700 Subject: [PATCH 1/2] update doc for BoundServiceAccountTokenVolume --- .../service-accounts-admin.md | 75 +++++++++++-------- 1 file changed, 45 insertions(+), 30 deletions(-) diff --git a/content/en/docs/reference/access-authn-authz/service-accounts-admin.md b/content/en/docs/reference/access-authn-authz/service-accounts-admin.md index 4aaf6da0a2..040eb31bc7 100644 --- a/content/en/docs/reference/access-authn-authz/service-accounts-admin.md +++ b/content/en/docs/reference/access-authn-authz/service-accounts-admin.md @@ -1,23 +1,24 @@ --- reviewers: -- bprashanth -- davidopp -- lavalamp -- liggitt + - bprashanth + - davidopp + - lavalamp + - liggitt title: Managing Service Accounts content_type: concept weight: 50 --- + This is a Cluster Administrator guide to service accounts. You should be familiar with [configuring Kubernetes service accounts](/docs/tasks/configure-pod-container/configure-service-account/). -Support for authorization and user accounts is planned but incomplete. Sometimes +Support for authorization and user accounts is planned but incomplete. Sometimes incomplete features are referred to in order to better describe service accounts. - + ## User accounts versus service accounts Kubernetes distinguishes between the concept of a user account and a service account @@ -53,37 +54,51 @@ It is part of the API server. It acts synchronously to modify pods as they are created or updated. When this plugin is active (and it is by default on most distributions), then it does the following when a pod is created or modified: - 1. If the pod does not have a `ServiceAccount` set, it sets the `ServiceAccount` to `default`. - 1. It ensures that the `ServiceAccount` referenced by the pod exists, and otherwise rejects it. - 1. If the pod does not contain any `ImagePullSecrets`, then `ImagePullSecrets` of the `ServiceAccount` are added to the pod. - 1. It adds a `volume` to the pod which contains a token for API access. - 1. It adds a `volumeSource` to each container of the pod mounted at `/var/run/secrets/kubernetes.io/serviceaccount`. +1. If the pod does not have a `ServiceAccount` set, it sets the `ServiceAccount` to `default`. +1. It ensures that the `ServiceAccount` referenced by the pod exists, and otherwise rejects it. +1. It adds a `volume` to the pod which contains a token for API access if neither the ServiceAccount `automountServiceAccountToken` nor the Pod's `automountServiceAccountToken` is set to `false`. +1. It adds a `volumeSource` to each container of the pod mounted at `/var/run/secrets/kubernetes.io/serviceaccount`, if the previous step has created a volume for ServiceAccount token. +1. If the pod does not contain any `ImagePullSecrets`, then `ImagePullSecrets` of the `ServiceAccount` are added to the pod. #### Bound Service Account Token Volume + {{< feature-state for_k8s_version="v1.21" state="beta" >}} When the `BoundServiceAccountTokenVolume` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) is enabled, the service account admission controller will -add a projected service account token volume instead of a secret volume. The service account token will expire after 1 hour by default or the pod is deleted. See more details about [projected volume](/docs/tasks/configure-pod-container/configure-projected-volume-storage/). +add the following projected volume instead of a secret volume for the non-expiring service account token created by Token Controller. -This feature depends on the `RootCAConfigMap` feature gate enabled which publish a "kube-root-ca.crt" ConfigMap to every namespace. This ConfigMap contains a CA bundle used for verifying connections to the kube-apiserver. -1. If the pod does not have a `serviceAccountName` set, it sets the - `serviceAccountName` to `default`. -1. It ensures that the `serviceAccountName` referenced by the pod exists, and - otherwise rejects it. -1. If the pod does not contain any `imagePullSecrets`, then `imagePullSecrets` - of the ServiceAccount referenced by `serviceAccountName` are added to the pod. -1. It adds a `volume` to the pod which contains a token for API access - if neither the ServiceAccount `automountServiceAccountToken` nor the Pod's - `automountServiceAccountToken` is set to `false`. -1. It adds a `volumeSource` to each container of the pod mounted at - `/var/run/secrets/kubernetes.io/serviceaccount`, if the previous step has - created a volume for ServiceAccount token. +```yaml +- name: kube-api-access-c5cs8 + projected: + defaultMode: 420 # 0644 + sources: + - serviceAccountToken: + expirationSeconds: 3600 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace +``` -You can migrate a service account volume to a projected volume when -the `BoundServiceAccountTokenVolume` feature gate is enabled. -The service account token will expire after 1 hour or the pod is deleted. See -more details about -[projected volume](/docs/tasks/configure-pod-container/configure-projected-volume-storage/). +This projected volume consists of three sources: + +1. A ServiceAccountToken acquired from kube-apiserver via TokenRequest API. It will expire after 1 hour by default or the pod is deleted. It is bound to the pod and has kube-apiserver as the audience. +1. A ConfigMap contains a CA bundle used for verifying connections to the kube-apiserver. This feature depends on the `RootCAConfigMap` feature gate enabled which publish a "kube-root-ca.crt" ConfigMap to every namespace. +1. A DownwardAPI that references the namespace of the pod. + +See more details about [projected volume](/docs/tasks/configure-pod-container/configure-projected-volume-storage/). + +You can manually migrate a secret-based service account volume to a projected volume when +the `BoundServiceAccountTokenVolume` feature gate is not enabled by adding the above +projected volume to the pod spec. However, `RootCAConfigMap` needs to be enabled. ### Token Controller From 87dd022604b881776a72f40e9c4a508faed89ce0 Mon Sep 17 00:00:00 2001 From: Shihang Zhang Date: Wed, 21 Apr 2021 08:14:28 -0700 Subject: [PATCH 2/2] Apply suggestions from code review Co-authored-by: Jordan Liggitt --- .../access-authn-authz/service-accounts-admin.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/content/en/docs/reference/access-authn-authz/service-accounts-admin.md b/content/en/docs/reference/access-authn-authz/service-accounts-admin.md index 040eb31bc7..ea04f462b1 100644 --- a/content/en/docs/reference/access-authn-authz/service-accounts-admin.md +++ b/content/en/docs/reference/access-authn-authz/service-accounts-admin.md @@ -65,10 +65,10 @@ It acts synchronously to modify pods as they are created or updated. When this p {{< feature-state for_k8s_version="v1.21" state="beta" >}} When the `BoundServiceAccountTokenVolume` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) is enabled, the service account admission controller will -add the following projected volume instead of a secret volume for the non-expiring service account token created by Token Controller. +add the following projected volume instead of a Secret-based volume for the non-expiring service account token created by Token Controller. ```yaml -- name: kube-api-access-c5cs8 +- name: kube-api-access- projected: defaultMode: 420 # 0644 sources: @@ -90,11 +90,11 @@ add the following projected volume instead of a secret volume for the non-expiri This projected volume consists of three sources: -1. A ServiceAccountToken acquired from kube-apiserver via TokenRequest API. It will expire after 1 hour by default or the pod is deleted. It is bound to the pod and has kube-apiserver as the audience. -1. A ConfigMap contains a CA bundle used for verifying connections to the kube-apiserver. This feature depends on the `RootCAConfigMap` feature gate enabled which publish a "kube-root-ca.crt" ConfigMap to every namespace. +1. A ServiceAccountToken acquired from kube-apiserver via TokenRequest API. It will expire after 1 hour by default or when the pod is deleted. It is bound to the pod and has kube-apiserver as the audience. +1. A ConfigMap containing a CA bundle used for verifying connections to the kube-apiserver. This feature depends on the `RootCAConfigMap` feature gate being enabled, which publishes a "kube-root-ca.crt" ConfigMap to every namespace. `RootCAConfigMap` is enabled by default in 1.20, and always enabled in 1.21+. 1. A DownwardAPI that references the namespace of the pod. -See more details about [projected volume](/docs/tasks/configure-pod-container/configure-projected-volume-storage/). +See more details about [projected volumes](/docs/tasks/configure-pod-container/configure-projected-volume-storage/). You can manually migrate a secret-based service account volume to a projected volume when the `BoundServiceAccountTokenVolume` feature gate is not enabled by adding the above