k8s 12: Admission Controller – Service Account

In this post, I will talk about admission controller, one of the key component of API server(document reference). In the past few posts, we deployed PKI to secure the communication between each component. It’s time to secure/validate the requests itself. In previous post, I illustrated how API server deals the request, and it can be summarized as follows:

  • Authentication … Is the requester a valid account?
  • Authorization … Is the requester allowed to do what it request?
  • Admission Control … Allow/Reject/Modify the original request based on various criteria.

You may encounter problems like pods not launching with kubectl run command with the recent kubernetes packages. It might be the case related to this admission controller, because kubernetes apiserver launches admission controller enabled by default. In order to successfully launch pods, service account needs to be correctly setup.

Service Account Setup

At this step, we do have service account, which is created by default(and named default) when we launch the cluster. But it doesn’t have any token which is used for authorization.

[ Controller-1 ]

1. Create key files for Service Account setup

In order for admission controller to successfully serve ServiceAccount plugin, both Token controller(which resides in controller-manager) and API server needs to load the key files as per the official document.

First we create key files:

[ controller-1 ]

2. Modify API server system service file

Modify API server service systemd file so that it loads the key file for service account setup to be loaded on launch.

[ Controller-1 ]

3. Modify Controller-Manager system service file

Modify Controller Manager systemd file so that it loads the service account private key file on launch.

4. Confirmation

Now we can see if it works well. First check if token is generated for default user.

Looks good. And let’s see if we can launch pod and how the token is used.

It looks ok, serviceaccount token is mounted on the container. And the container uses this credential if it needs to communicate with Kubernetes service.

Let’s see the contents of this directory.