- Take me to Practice Test
Solutions to the Practice Test Service Accounts
-
How many service accounts exist in the default namespace?
Run the command
kubectl get serviceaccountsand count the number of accounts. -
What is the secret token used by the default service account?
Run the command
kubectl describe serviceaccount defaultand look at theTokensfield.none -
We just deployed the Dashboard application.
Inspect the deployment. What is the image used by the deployment?Run the command
kubectl describe deploymentand look at theImagefieldgcr.io/kodekloud/customimage/my-kubernetes-dashboard -
Information only.
-
What is the state of the dashboard? Have the pod details loaded successfully?
Open the
web-dashboardlink located above the terminal and inspect the status. We can see an error message, therefore the status is...Failed -
What type of account does the Dashboard application use to query the Kubernetes API?
As evident from the error in the web-dashboard UI, the pod makes use of a service account to query the Kubernetes API.
Service Account
-
Which account does the Dashboard application use to query the Kubernetes API?
To find this, we need to insect the YAML of the running pod. The correct field for specifying a pod's service account is
serviceAccountName. To save looking at all the YAML, we can usegrepcommand to extract only that field:kubectl get po -o yaml | grep 'serviceAccountName:'You could also do it with JSONPath. First get the name of the pod using
kubectl get pods. It will be different each time you run this lab. Then the command is e.g.kubectl get po web-dashboard-65b9cf6cbb-79vbs -o jsonpath='{.spec.serviceAccountName}'default -
Inspect the Dashboard Application POD and identify the Service Account mounted on it.
This is the same as the previous question.
default -
At what location is the ServiceAccount credentials available within the pod?
Know that service account tokens are mounted in pods as a volume mount, so it is the
volumeMountssection in which we look.kubectl describe podFind the
Mountssection which represents mounted volumes, and you will see a path to the mounted service account. From the anwsers, choose the one with the correct path prefix/var/run/secrets -
Create a new ServiceAccount named dashboard-sa.
Run the command
kubectl create serviceaccount dashboard-sa -
Information only
-
Now we are going to test the service account's access to the dashboard.
-
Generate a token
kubectl create token dashboard-saThis will generate a long string of characters.
-
Select all the output using your mouse and copy it.
-
Return to the dashboard UI, and paste this to the
Tokenfield -
Press Load Dashboard. It should now display the pod
-
-
Edit the deployment to change ServiceAccount from default to dashboard-sa.
- Use command
kubectl edit deployment web-dashboard, which opens the running deployment invi - Move dowm to the deployment spec and insert the service account as shown:
apiVersion: apps/v1 kind: Deployment metadata: annotations: deployment.kubernetes.io/revision: "2" creationTimestamp: "2023-02-21T19:29:21Z" generation: 2 name: web-dashboard namespace: default resourceVersion: "1499" uid: ac5a26bf-7a88-41cc-8db3-d5a4bd2ad31c spec: progressDeadlineSeconds: 600 replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: name: web-dashboard strategy: rollingUpdate: maxSurge: 25% maxUnavailable: 25% type: RollingUpdate template: metadata: creationTimestamp: null labels: name: web-dashboard spec: serviceAccountName: dashboard-sa # <- Insert this line containers: - env: - name: PYTHONUNBUFFERED value: "1" image: gcr.io/kodekloud/customimage/my-kubernetes-dashboard imagePullPolicy: Always name: web-dashboard ports: - containerPort: 8080 protocol: TCP
- Save and exit
vi. The deployment will be updated
- Use command
-
Reload the dashboard and verify it works without pasting a token.