How to create service account and cluster role binding for Kubernetes Dashboard?

KubernetesKubernetesBeginner
Practice Now

Introduction

Kubernetes, the popular open-source container orchestration platform, provides a powerful web-based user interface called the Kubernetes Dashboard. To securely access and manage your Kubernetes cluster using the Dashboard, you need to create a service account and grant it the necessary permissions through a cluster role binding. This tutorial will guide you through the process of setting up the Kubernetes Dashboard with a service account and cluster role binding.


Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL kubernetes(("`Kubernetes`")) -.-> kubernetes/BasicCommandsGroup(["`Basic Commands`"]) kubernetes(("`Kubernetes`")) -.-> kubernetes/ConfigurationandVersioningGroup(["`Configuration and Versioning`"]) kubernetes(("`Kubernetes`")) -.-> kubernetes/BasicsGroup(["`Basics`"]) kubernetes/BasicCommandsGroup -.-> kubernetes/create("`Create`") kubernetes/BasicCommandsGroup -.-> kubernetes/get("`Get`") kubernetes/ConfigurationandVersioningGroup -.-> kubernetes/config("`Config`") kubernetes/BasicsGroup -.-> kubernetes/dashboard("`Dashboard`") subgraph Lab Skills kubernetes/create -.-> lab-415171{{"`How to create service account and cluster role binding for Kubernetes Dashboard?`"}} kubernetes/get -.-> lab-415171{{"`How to create service account and cluster role binding for Kubernetes Dashboard?`"}} kubernetes/config -.-> lab-415171{{"`How to create service account and cluster role binding for Kubernetes Dashboard?`"}} kubernetes/dashboard -.-> lab-415171{{"`How to create service account and cluster role binding for Kubernetes Dashboard?`"}} end

Understanding Kubernetes Service Accounts

Kubernetes Service Accounts are a crucial component in managing access and permissions within a Kubernetes cluster. They provide an identity for processes running in a Pod, allowing them to interact with the Kubernetes API server and other resources within the cluster.

What are Kubernetes Service Accounts?

Kubernetes Service Accounts are a type of account that is automatically created and associated with Pods when they are deployed in the cluster. Each Service Account has a unique name and is associated with a set of permissions, which are defined by Roles and ClusterRoles.

Service Accounts are used to grant specific permissions to Pods, allowing them to access Kubernetes resources such as ConfigMaps, Secrets, and other objects. This is particularly useful for applications running within Pods that need to interact with the Kubernetes API or access other resources in the cluster.

Why Use Kubernetes Service Accounts?

Using Kubernetes Service Accounts provides several benefits:

  1. Least Privilege Access: Service Accounts allow you to grant the minimum set of permissions required for a Pod to perform its tasks, following the principle of least privilege.
  2. Isolation: Service Accounts provide a way to isolate the permissions of different components within your Kubernetes cluster, preventing unintended access or privilege escalation.
  3. Auditing and Traceability: Kubernetes logs the actions performed by Service Accounts, enabling you to audit and track the activities within your cluster.
  4. Secure Defaults: Kubernetes automatically creates a default Service Account for each namespace, which has limited permissions, ensuring that Pods have a secure starting point.

Understanding Service Account Tokens

When a Pod is created, Kubernetes automatically mounts a Service Account token into the container. This token is used by the container to authenticate with the Kubernetes API server and access the resources it is authorized to use.

The Service Account token is a JSON Web Token (JWT) that contains information about the Service Account, including the namespace, name, and the set of permissions associated with the Service Account.

graph LR Pod --> ServiceAccountToken ServiceAccountToken --> KubernetesAPIServer

By understanding Kubernetes Service Accounts, you can effectively manage access and permissions within your Kubernetes cluster, ensuring that your applications and components have the necessary permissions to perform their tasks while maintaining a secure and auditable environment.

Creating a Service Account for Kubernetes Dashboard

To access the Kubernetes Dashboard, you need to create a Service Account with the appropriate permissions. In this section, we will walk through the steps to create a Service Account and grant it the necessary permissions.

Step 1: Create a Service Account

First, let's create a Service Account for the Kubernetes Dashboard. Run the following command in your Ubuntu 22.04 terminal:

kubectl create serviceaccount dashboard-admin -n kubernetes-dashboard

This command creates a Service Account named dashboard-admin in the kubernetes-dashboard namespace.

Step 2: Grant Permissions to the Service Account

Next, we need to grant the necessary permissions to the Service Account. We can do this by creating a ClusterRoleBinding.

kubectl create clusterrolebinding dashboard-admin-rb --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:dashboard-admin

This command creates a ClusterRoleBinding named dashboard-admin-rb that binds the cluster-admin ClusterRole to the dashboard-admin Service Account in the kubernetes-dashboard namespace.

The cluster-admin ClusterRole grants the highest level of permissions, allowing the Service Account to access all resources within the cluster. In a production environment, you should consider granting more fine-grained permissions based on your specific requirements.

Verifying the Service Account

To verify that the Service Account and ClusterRoleBinding were created correctly, you can run the following commands:

kubectl get serviceaccount -n kubernetes-dashboard
kubectl get clusterrolebinding dashboard-admin-rb

These commands will display the Service Account and ClusterRoleBinding you created.

By creating a Service Account and granting it the necessary permissions, you can now use the Kubernetes Dashboard with the appropriate access level, ensuring that your applications and components can interact with the Kubernetes API server securely.

Granting Permissions with Cluster Role Binding

In Kubernetes, ClusterRoleBindings are used to grant permissions to Service Accounts, Users, or Groups across the entire cluster. This is particularly useful when you need to provide specific permissions to a Service Account, such as the one we created for the Kubernetes Dashboard.

Understanding ClusterRoleBindings

A ClusterRoleBinding is a Kubernetes resource that links a ClusterRole to a set of subjects (Service Accounts, Users, or Groups). The ClusterRole defines the permissions, while the ClusterRoleBinding associates those permissions with the specified subjects.

Here's an example of a ClusterRoleBinding:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: dashboard-admin-rb
subjects:
- kind: ServiceAccount
  name: dashboard-admin
  namespace: kubernetes-dashboard
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io

In this example, the dashboard-admin-rb ClusterRoleBinding grants the cluster-admin ClusterRole to the dashboard-admin Service Account in the kubernetes-dashboard namespace.

Granting Permissions with ClusterRoleBinding

To grant permissions to a Service Account, you can create a ClusterRoleBinding using the following steps:

  1. Identify the necessary permissions: Determine the ClusterRole that provides the required permissions for your use case. In the Kubernetes Dashboard example, we used the cluster-admin ClusterRole, which grants the highest level of permissions.

  2. Create the ClusterRoleBinding: Use the kubectl create clusterrolebinding command to create the ClusterRoleBinding, specifying the ClusterRole, Service Account, and namespace.

kubectl create clusterrolebinding dashboard-admin-rb --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:dashboard-admin

This command creates a ClusterRoleBinding named dashboard-admin-rb that grants the cluster-admin ClusterRole to the dashboard-admin Service Account in the kubernetes-dashboard namespace.

By using ClusterRoleBindings, you can easily grant the necessary permissions to Service Accounts, allowing them to access the required resources within your Kubernetes cluster.

Summary

In this Kubernetes tutorial, you have learned how to create a service account and cluster role binding for the Kubernetes Dashboard. By understanding the importance of service accounts and cluster role bindings, you can ensure secure access to your Kubernetes cluster and effectively manage your applications and resources using the Kubernetes Dashboard.

Other Kubernetes Tutorials you may like