BestHub
Sign in
Cloud Native 9 min read

Mastering Kubernetes ServiceAccounts, RBAC, and Configurations: A Step‑by‑Step Guide

This tutorial walks you through creating Kubernetes ServiceAccounts, user certificates, configuring kubeconfig files, and setting up RBAC roles, rolebindings, and clusterroles, complete with YAML manifests and command‑line examples for secure cluster access.

MaGe Linux Operations
MaGe Linux Operations
MaGe Linux Operations
Mastering Kubernetes ServiceAccounts, RBAC, and Configurations: A Step‑by‑Step Guide

1. ServiceAccount (SA)

ServiceAccount is designed to let processes inside a Pod call the Kubernetes API or other external services.

Used for Pod processes to call the Kubernetes API.

Limited to its own namespace.

Each namespace automatically creates a default ServiceAccount.

The token controller detects ServiceAccount creation and creates a secret for it.

When the ServiceAccount Admission Controller is enabled, each newly created Pod automatically gets spec.serviceAccount set to default (unless another ServiceAccount is specified). The controller verifies the referenced ServiceAccount exists, adds its ImagePullSecrets to the Pod if none are set, and mounts the ServiceAccount token and ca.crt into /var/run/secrets/kubernetes.io/serviceaccount/ for each container.

# vim 01_k8s_pod_test.yml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: superopsmsb-sa
---
apiVersion: v1
kind: Pod
metadata:
  name: my-nginx-1
spec:
  containers:
  - image: nginx:1.23.0
    name: my-nginx
  serviceAccountName: superopsmsb-sa

# kubectl apply -f 01_k8s_pod_test.yml
# kubectl get sa
# kubectl get pods -o wide
# kubectl describe pod my-nginx-1

2. User Account (UA)

Creating a user certificate and configuring kubeconfig.

# vim test-csr.json
{
  "CN": "test",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "Beijing",
      "L": "Beijing",
      "O": "system:test",
      "OU": "system"
    }
  ]
}

# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes test-csr.json | cfssljson -bare test
# cp test*.pem /etc/kubernetes/ssl/
# kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://192.168.16.250:16443 --kubeconfig=test.kubeconfig
# kubectl config set-credentials test --client-certificate=test.pem --client-key=test-key.pem --embed-certs=true --kubeconfig=test.kubeconfig
# kubectl config set-context kubernetes --cluster=kubernetes --user=test --kubeconfig=test.kubeconfig
# kubectl config use-context kubernetes --kubeconfig=test.kubeconfig
# kubectl --kubeconfig=test.kubeconfig get pods
Error from server (Forbidden): pods is forbidden: User "test" cannot list resource "pods" in API group "" in the namespace "default"
# kubectl --kubeconfig=kube.config get pods
NAME                READY   STATUS    RESTARTS   AGE
my-nginx-1          1/1     Running   0          4h26m
pod-cm1             1/1     Running   3          4d22h
pod-harbor          1/1     Running   2          26h
pod-mysql-secret1   1/1     Running   5          4d21h
pod-mysql-secret2   1/1     Running   2          4d21h

3. kubeconfig File

Create a user that logs into the cluster using certificate and key.

Specify the cluster address.

Bind the user and the target cluster together to form an entry point.

Set the default cluster entry.

Config file priority: --kubeconfig flag specifies the file.

Environment variable KUBECONFIG.

Default location /root/.kube/config.

4. Role Creation

Define a set of permissions for resource objects.

# kubectl create role myrole --verb=get,list --resource=pods --dry-run=client -o yaml > 02_k8s_secure_role.yaml
# vim 02_k8s_secure_role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: myrole
rules:
- apiGroups:
  - ""
  - "apps"
  resources:
  - pods
  - deployments
  - replicasets
  verbs:
  - get
  - list
  - delete
# kubectl apply -f 02_k8s_secure_role.yaml
# kubectl get role
NAME     CREATED AT
myrole   2023-11-30T02:34:21Z
# kubectl describe role myrole

5. RoleBinding Creation

# kubectl create rolebinding test-myrole --role=myrole --user=test --dry-run=client -o yaml > 03_k8s_test-myrole.yaml
# kubectl apply -f 03_k8s_test-myrole.yaml
# kubectl describe rolebinding test-myrole
Name:         test-myrole
Subjects:
  Kind  Name  Namespace
  ----  ----  ---------
  User  test
# kubectl get pods --kubeconfig=test.kubeconfig
NAME                READY   STATUS    RESTARTS   AGE
my-nginx-1          1/1     Running   1          25h
pod-cm1             1/1     Running   5          5d20h
# kubectl get deployment --kubeconfig=test.kubeconfig -n kube-system
Error from server (Forbidden): deployments.apps is forbidden: User "test" cannot list resource "deployments" in API group "apps" in the namespace "kube-system"
# kubectl get svc --kubeconfig=test.kubeconfig
Error from server (Forbidden): services is forbidden: User "test" cannot list resource "services" in API group "" in the namespace "default"

6. ClusterRole and ClusterRoleBinding Creation

# kubectl create clusterrole myclusterrole --verb=get,list,delete --resource=pods --dry-run=client -o yaml > 04_k8s_secure_clusterrole.yaml
# kubectl apply -f 04_k8s_secure_clusterrole.yaml
# kubectl create clusterrolebinding test-myclusterrole --clusterrole=myclusterrole --user=test
# kubectl edit clusterrolebinding test-myclusterrole
# kubectl get deployment --kubeconfig=test.kubeconfig -n kube-system
Error from server (Forbidden): deployments.apps is forbidden: User "test" cannot list resource "deployments" in API group "apps" in the namespace "kube-system"
# kubectl get pods --kubeconfig=test.kubeconfig -n kube-system
NAME                                   READY   STATUS    RESTARTS   AGE
calico-kube-controllers-7cc8dd57d9-hvkz5   1/1     Running   55         6d23h
calico-node-c4dxg                        1/1     Running   7          6d22h
calico-node-srqch                        1/1     Running   8          6d22h
calico-node-tcdmv                        0/1     Running   7          6d22h
calico-node-tvjzj                        1/1     Running   7          6d22h
coredns-675db8b7cc-5fbjk                1/1     Running   7          6d22h

Mixing Role and ClusterRole allows granting cluster‑wide permissions while still restricting them to specific namespaces.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

KubernetesRBACRoleBindingServiceAccountCONFIGClusterRole
MaGe Linux Operations
Written by

MaGe Linux Operations

Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment