Create a Pod running Nginx image:
kubectl run simple-pod --image=nginx
You can use o yaml
to get the YAML representation of the Pod, like this: kubectl get po simple-pod -o yaml
. If you look through the output, you will notice the following line:
serviceAccountName: default
Even though we haven't explicitly set the service account name, Kubernetes assigned the default
service account to the Pod.
Let's run kubectl describe serviceaccount default
or kubectl describe sa default
to see the details of the default service account:
$ kubectl describe sa default
Name: default
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: default-token-qjdzv
Tokens: default-token-qjdzv
Events: <none>
Let's invoke the Kubernetes API using the service account token. First, we will get a shell inside the container:
$ kubectl exec -it simple-pod -- /bin/bash
root@simple-pod:/#
We will store the auth token in the TOKEN
variable, so we can use it when invoking the API:
$ TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
If you're curious about the encoded information in the token, you can head to https://jwt.io and decode your token to look at the payload. Here's how the payload for my token looks like:
{
"iss": "kubernetes/serviceaccount",
"kubernetes.io/serviceaccount/namespace": "default",
"kubernetes.io/serviceaccount/secret.name": "default-token-5h8g8",
"kubernetes.io/serviceaccount/service-account.name": "default",
"kubernetes.io/serviceaccount/service-account.uid": "d75bbef1-cb26-48fc-8a4e-511fd112c864",
"sub": "system:serviceaccount:default:default"
}
We will use the TOKEN
as the bearer token and invoke the Kubernetes API. The Kubernetes API is exposed through the Service called kubernetes
in the default namespace.
Here's how we can try and invoke the API from within the container: