Custom Roles and Service Account

Service Account

Create custom roles for service account to view,list and watch 

- configmaps
- pods
- services
- namespaces
- endpoints
- secrets
- *nodes*

Remark: nodes need cluster role

Create Service Account

  • Create Service Account

      oc create sa sa-discovery -n demo

    Output

      serviceaccount/sa-discovery created

Custom Roles

Local Role

  • Create role for service account. 

      oc create role app-discovery \
  --verb=get,list,watch \
  --resource=configmaps,pods,services,namespaces,endpoints \
  -n demo
  oc describe role app-discovery -n demo

    or create from app-discovery yaml

      oc create -f manifests/app-discovery-role.yaml -n demo
  oc describe role app-discovery -n demo
  oc describe role list-secret -n demo

    Output

      role.rbac.authorization.k8s.io/app-discovery created
  Name:         app-discovery
  Labels:       <none>
  Annotations:  <none>
  PolicyRule:
  Resources   Non-Resource URLs  Resource Names  Verbs
  ---------   -----------------  --------------  -----
  configmaps  []                 []              [get list watch]
  endpoints   []                 []              [get list watch]
  namespaces  []                 []              [get list watch]
  pods        []                 []              [get list watch]
  secrets     []                 []              [get list watch]
  services    []                 []              [get list watch]

  • Assign role to service account

      oc adm policy add-role-to-user app-discovery \
  system:serviceaccount:demo:sa-discovery --role-namespace=demo -n demo

    Output

      role.rbac.authorization.k8s.io/app-discovery added: "system:serviceaccount:demo:sa-discovery"

Create cluster role

  • Create cluster role to view node

      oc create clusterrole view-nodes \
  --verb=get,list,watch --resource=nodes

    or create from view-nodes yaml

      oc create -f manifests/clusterrole-view-nodes.yaml

    Output

      clusterrole.rbac.authorization.k8s.io/view-nodes created

  • Assign role to service account

      oc adm policy add-cluster-role-to-user \
  view-nodes system:serviceaccount:demo:sa-discovery

    Output

      clusterrole.rbac.authorization.k8s.io/view-nodes added: "system:serviceaccount:demo:sa-discovery"

Test Service Account

CLI

  • Test service account sa-discovery with CLI tool

    • Get service account sa-discovery token 

      TOKEN=$(oc sa get-token sa-discovery -n demo)

    • Login with service account token

      oc login --token=$TOKEN
oc whoami

      Output

      Using project "demo".
system:serviceaccount:demo:app-discovery

    • Test list resources

      clear
printf "List configmaps\n"
oc get configmaps -n demo
echo "Press any keys to continue...";read
clear
printf "List secrets\n"
oc get secrets -n demo
echo "Press any keys to continue...";read
clear
printf "List pods\n"
oc get pods -n demo
echo "Press any keys to continue...";read
clear
printf "List services\n"
oc get svc -n demo
echo "Press any keys to continue...";read
clear
printf "List nodes\n"
oc get nodes
echo "Press any keys to continue...";read
clear

    • Test get secret

      oc describe secrets/$(oc get secrets --no-headers|head -n 1|awk '{print $1}')

      You will get following error because sa-discovery has only list action

      Error from server (Forbidden): secrets "builder-dockercfg-cjfz6" is forbidden: User "system:serviceaccount:demo:sa-discovery" cannot get resource "secrets" in API group "" in the namespace "demo"

      REST API

  • List pods

      API=$(oc whoami --show-server)
  NAMESPACE=demo
  curl -k -H "Accept: application/json" -H "Authorization: Bearer $TOKEN" $API/api/v1/namespaces/$NAMESPACE/pods

    Output

      "items": [
      {
      "metadata": {
          "name": "backend-797f8bfdcc-xrzkw",
          "generateName": "backend-797f8bfdcc-",
          "namespace": "demo",
          "selfLink": "/api/v1/namespaces/demo/pods/backend-797f8bfdcc-xrzkw",
          "uid": "e6845671-6e46-4b20-aa7b-ced5839341e2",
          "resourceVersion": "56509",
          "creationTimestamp": "2021-06-10T09:10:10Z",
          "labels": {
          "app": "backend",
          "pod-template-hash": "797f8bfdcc",
          "version": "v1"
          },

  • Get sepcified pod

      curl -k -H "Accept: application/json" -H "Authorization: Bearer $TOKEN" $API/api/v1/namespaces/$NAMESPACE/pods/<pod-name>

  • Get node

      curl -k -H "Accept: application/json" -H "Authorization: Bearer $TOKEN" $API/api/v1/nodes/$(oc get nodes --no-headers|head -n 1|awk '{print $1}')

Use Service Account with Deployment

  • Backend deployment (backend-discovery-sa.yaml) with custom service account

      spec:
  replicas: 1
  selector:
      matchLabels:
      app: backend
      version: v1
  template:
      metadata:
      creationTimestamp: null
      labels:
          app: backend
          version: v1
      annotations:
          sidecar.istio.io/inject: "false"
      spec:
      serviceAccountName: svip-ignite-discovery
      automountServiceAccountToken: false
      containers:
      - name: backend

  • Check service account used by pod

      oc get pod/<pod-name> -o jsonpath='{.spec.serviceAccountName}'

results matching ""

    No results matching ""