CKS Exam Series #7 ServiceAccount Tokens

Kubernetes CKS Example Exam Question Series

CKS Exam Series | CKA Exam Series | CKAD Exam Series

#####################################

THIS CHALLENGE WON’T BE UPDATED HERE AND MOVED TO:

https://killercoda.com/killer-shell-cks

######################################

Content

1. Create Cluster & Security Best Practices
2. Pods, Secrets and ServiceAccounts
3. Immutable Pods
4. Crash that Apiserver & check logs
5. ImagePolicyWebhook / AdmissionController
6. Users and CertificateSigningRequests
7. ServiceAccount Token Mounting
8. Role Based Access Control (RBAC)
9. Role Based Access Control (RBAC) v2
10. Container Hardening
11. NetworkPolicies (Default Deny + Allowlist)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

→ Check out the FULL CKS COURSE on Udemy ←

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Rules!

1. Be fast, avoid creating yaml manually from scratch
2. Use only kubernetes.io/docs for help.
3. Check our solution after you did yours. You probably have a better one!

Todays Task: Control ServiceAccount Token Mounting in Pods

1. Create a new ServiceAccount (SA)special
2. Create a Pod pod1 image nginx which uses the default SA
3. Create Deployment deploy1 image nginx with two replicas using SA special
4. Pod pod1 should not mount the SA token, verify it
5. No Pods at all should mount the token of SA special, verify it

.

.

.

.

.

Solution

alias k=kubectl

1. Create SA

k create sa special

2. Create Pod

k run pod1 --image=nginx -oyaml --dry-run=client > pod1.yaml
k -f pod1.yaml create

3. Create Deployment

k create deploy deploy1 --image=nginx -oyaml --dry-run=client > deploy1.yaml
vim deploy1.yaml

Edit to:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: deploy1
  name: deploy1
spec:
  replicas: 2
  selector:
    matchLabels:
      app: deploy1
  template:
    metadata:
      labels:
        app: deploy1
    spec:
      serviceAccountName: special
      containers:
      - image: nginx
        name: nginx

4. Pod no mount

Edit the Pod to:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: pod1
  name: pod1
spec:
  automountServiceAccountToken: false
  containers:
  - image: nginx
    name: pod1

And verify:

k exec pod1 -- mount | grep serviceaccount

5. SA no mount

Edit the SA to:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: special
  namespace: default
automountServiceAccountToken: false

Verify:

k rollout restart deploy deploy1
k exec deploy1-775d6566dc-bq757 -- mount | grep serviceaccount
k exec deploy1-775d6566dc-qwthl -- mount | grep serviceaccount

What happens if SA says false to token mount and Pod says true? Then the token will be mounted. Setting this in the SA is just the default behaviour.

.

.

.

.

.

What is the ServiceAccount token?

Every SA has a token which can be used to identify against the K8s Api. And if there are permission (RBAC) then that token can be used to perform actions.

Mounting the SA token in a Pod is most often not necessary, because Pods usually don’t need to communicate with the Api if they’re just running an application. But there are valid use cases for which mounting should be enabled.

If you mount the token in a Pod then you need to make sure it only has the least permissions necessary.

You have a different solution?

Let us know by leaving a comment below!

— — — The END — — —

So much for this session. See you at the next one and happy learning!

Ready to join Killer Shell?

FULL CKS COURSE

LINK

…or the CKS SIMULATOR

https://killer.sh/cks