Exercise 6.3: Working with ServiceAccounts

kubectl get secret

kubectl get secret -A

cat <<EOF | kubectl create -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  name: secret-access
EOF

kubectl get sa secret-access

kubectl get clusterroles

diff <(kubectl get clusterroles admin -o yaml) <(kubectl get clusterroles cluster-admin -o yaml) -y

cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
 name: secret-access
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - list
EOF

kubectl get clusterrole secret-access

cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
 name: secret-access
subjects:
- kind: ServiceAccount
  name: secret-access
roleRef:
 kind: ClusterRole
 name: secret-access
 apiGroup: rbac.authorization.k8s.io
EOF

kubectl get rolebindings secret-access

cat <<EOF | kubectl create -f -
apiVersion: v1
kind: Pod
metadata:
  name: kubectl
spec:
  containers:
  - name: kubectl
    image: bitnami/kubectl
    command: [ "sleep" ]
    args: [ "infinity" ]
EOF

kubectl exec -it kubectl -- kubectl get secrets

kubectl get pod kubectl -o yaml

kubectl delete pod kubectl

cat <<EOF | kubectl create -f -
apiVersion: v1
kind: Pod
metadata:
  name: kubectl
spec:
  serviceAccountName: secret-access
  containers:
  - name: kubectl
    image: bitnami/kubectl
    command: [ "sleep" ]
    args: [ "infinity" ]
EOF

kubectl get pod kubectl -o yaml | grep -i serviceaccount

kubectl exec -it kubectl -- kubectl get secrets

kubectl exec -it kubectl -- cat /var/run/secrets/kubernetes.io/serviceaccount/token

{
    kubectl delete pod kubectl 
    kubectl delete rolebindings secret-access
    kubectl delete clusterrole secret-access
    kubectl delete sa secret-access
}