Di Kubernetes, Service Account adalah cara untuk menyediakan identitas kepada proses yang berjalan di dalam Pod. Ini berguna untuk memberikan izin akses yang diperlukan ke API Kubernetes. Artikel ini akan membahas cara membuat Service Account dan Token di Kubernetes, serta cara menggunakan dan mengelolanya.
Check daftar service account
admin@master01:~$ kubectl get serviceaccount -n mylabs NAME SECRETS AGE api-tok 0 4h2m api-token 1 3d17h default 1 66d deployment-manager 0 7h18m deployment-updater 0 7h20m listrik-token 0 4h12m test 0 3h42m token-dep-mgr 0 4h15m admin@master01:~$
Membuat service account
admin@master01:~$ kubectl describe serviceaccount test-account -n mylabs Name: test-account Namespace: mylabs Labels: <none> Annotations: <none> Image pull secrets: <none> Mountable secrets: <none> Tokens: <none> Events: <none> admin@master01:~$
Membuat secret untuk service account
admin@master01:~$ kubectl create token test-account -n mylabs eyJhbGciOiJSUzI1NiIsImtpZCItVHJ5aUNfMVBYRTJFSVNqWG84ZG8ifQ.eyJhdWQiOlsidW5rbm93biJdLCJleHAiOjE3MjQ0ODAxOTYsImlhdCI6MTcyNDQ3NjU5NiwiaXNzIjoicmtlIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJzaW1sYWxhIiwic2VydmljZWFjY291bnQiOnsibmFtZSI6InRlc3QiLCJ1aWQiOiIzYWQ4OTJiZC05MDNiLTQ0YzctYTI1Ny01NjQ4NGI2ODg3Y2IifX0sIm5iZiI6MTcyNDQ3NjU5Niwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OnNpbWxhbGE6dGVzdCJ9.pKQD6G7w4GJAxM66lKyNsqmk8OIYthAxgU9PtS1DbuvHrltoLQZ2tI9IS4CwoVYVcJQB4rKTLbjbsIBJ0HHxHwWHxh3jMhzoax1xuKCBMsRz_D91S4WgvMNEIL9CeYv_CrzuhWx4dq9eZ0fZNUqEoNOOuyraiMsP8MC-ymY53ZRZVaQdNHUKTM5zR70cmKvfx6RlMgmw5b7uflhyPTDAPhR44B7HRNvNi_iuXcdNX6GHbw8EXAXs_v_L2DaN6VgD5MNkH94tOPxigowSrvIxP2EWhvRpauDhZ2esmQfDrj2CWLmiajjuCKgw-tptoLAtMLQdkAlmifMCcwNLPGnbzA admin@master01:~$
Membaca isi secret token
admin@master01:~$ kubectl describe secret test-account-token -n mylabs Name: test-account Namespace: mylabs Labels: <none> Annotations: kubernetes.io/service-account.name: test-account kubernetes.io/service-account.uid: 3ad792bd-903b-44c7-a257-56484b6887cb Type: kubernetes.io/service-account-token Data ==== ca.crt: 1017 bytes namespace: 7 bytes token: eyJhbGciOiJSUzI1NiIsImtpZCI6InYxWDhLZkpYRTJFSVNqWG84ZG8ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJzaW1sYWxhIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InRlc3QtdG9rZW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoidGVzdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjNhZDg5MmJkLTkwM2ItNDRjNy1hMjU3LTU2NDg0YjY4ODdjYiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpzaW1sYWxhOnRlc3QifQ.E58lKfSAy1GJJDXwCda3vBVc0Zr24kD7Mp_NmtNdubu0EIjKbPeWUDuaK6ogakWLaXOY1tOHFX1Plt-a9PEGllNQDhVBMhFBQrmAu5hctk_L9Zf0yuKGDNXUSjCKnVNJzuP3zpeAbWbse36IgRzVHhlgboqiS664Oed_cYDQlubLLiqnXrMDJHOzNi4Pi1CDbly570vpCq2hQOebCPWbx7zuj1T155Hk-HW6XvUYI89Na7vX-gGllghPXo60NxgUxafls9e9GmvSWanwJHhG8VLuMivZRJ1sJq5w_oYoZFLv-m3U_ZMRkq6atxr2RxEAE9Dh2HDBUwt__pha0WO4Ng admin@master01:~$
Menempelkan secret token ke account
admin@master01:~$ nano token-test-account.yml admin@master01:~$
apiVersion: v1 kind: Secret metadata: name: test-account-token namespace: mylabs annotations: kubernetes.io/service-account.name: test-account type: kubernetes.io/service-account-token
Mengapply konfigurasi
admin@master01:~$ kubectl apply -f token-test-account.yml secret/test-account-token created admin@master01:~$
Mengecek service account kembali
admin@master01:~$ kubectl describe serviceaccount test-account -n mylabs Name: test-account Namespace: mylabs Labels: <none> Annotations: <none> Image pull secrets: <none> Mountable secrets: <none> Tokens: test-account-token Events: <none> admin@master01:~$
Membuat role, misal deployment manager
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: deployment-manager namespace: mylabs rules: - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "list", "watch", "update", "patch"]
Binding service account ke role
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: test-user-token-binding namespace: mylabs subjects: - kind: ServiceAccount name: test-account namespace: mylabs roleRef: kind: Role name: deployment-manager apiGroup: rbac.authorization.k8s.io
Testing service account
admin@master01:~/ns-mylabs$ kubectl auth can-i get deployments --as=system:serviceaccount:mylabs:deployment-manager -n mylabs yes admin@master01:~/ns-mylabs$ kubectl auth can-i list deployments --as=system:serviceaccount:mylabs:deployment-manager -n mylabs yes admin@master01:~/ns-mylabs$ admin@master01:~/ns-mylabs$ kubectl auth can-i watch deployments --as=system:serviceaccount:mylabs:deployment-manager -n mylabs yes admin@master01:~/ns-mylabs$ kubectl auth can-i update deployments --as=system:serviceaccount:mylabs:deployment-manager -n mylabs yes admin@master01:~/ns-mylabs$
Membuat Service Account dan Token di Kubernetes adalah proses yang penting untuk memberikan izin akses yang diperlukan kepada aplikasi di dalam cluster Anda. Kubernetes biasanya menangani pembuatan Token secara otomatis, tetapi Anda juga dapat membuat Secret secara manual jika diperlukan. Dengan mengikuti langkah-langkah ini, Anda dapat memastikan bahwa Service Account dan Token Anda dikelola dengan baik.