{"id":10097,"date":"2022-04-12T17:07:36","date_gmt":"2022-04-12T11:37:36","guid":{"rendered":"https:\/\/opstree.com\/blog\/\/?p=10097"},"modified":"2022-04-12T17:07:36","modified_gmt":"2022-04-12T11:37:36","slug":"know-the-role-of-k8s-service-account-in-granting-access","status":"publish","type":"post","link":"https:\/\/opstree.com\/blog\/2022\/04\/12\/know-the-role-of-k8s-service-account-in-granting-access\/","title":{"rendered":"Know the Role of K8S Service Account in Granting Access"},"content":{"rendered":"\n<p class=\"has-text-align-justify\">Have you ever wondered that when you access the API Server through kubectl you are authenticated through the API controller, but how will you do the same from the pod side? Here the Service Account role comes into play. As k8s definition itself says <strong>&#8220;Processes in containers inside pods can also contact the apiserver. When they do, they are authenticated as a particular Service Account (for example, default).&#8221;<\/strong><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Things we should know about service Account,<\/h4>\n\n\n\n<ul><li>Created in a namespace.<\/li><li>Used to allow processes inside pods, access to the API Server.<\/li><li>Default service account = default (no access to the API server).<\/li><li>Create your own service account.<ul><li>Use it in a <strong>RoleBinding<\/strong> or <strong>ClusterRoleBinding<\/strong>.<\/li><li>Use the service account secret to obtain the authentication token &amp; CA certificate.<\/li><\/ul><\/li><\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">What we will be covering today,<\/h4>\n\n\n\n<ul><li>Creating a pod (that gets automatically created in default Service Account)<\/li><li>Will create a Service Account<\/li><li>Creating a deployment that will be using <strong><em>appsa<\/em><\/strong> Service Account.<\/li><li>RBAC<\/li><\/ul>\n\n\n\n<!--more-->\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2022\/03\/image.png?w=1024\" alt=\"\" class=\"wp-image-10102\" width=\"798\" height=\"322\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>STEP 1: <\/strong><br>Creating a pod without any Service Account. As we are not mentioning any Service Account here, it will pick up a default Service Account.<\/p>\n\n\n\n<pre class=\"wp-block-verse has-dark-gray-background-color has-text-color has-background\" style=\"color:#33ff76;\">kubectl run -it --rm alpine --image=alpine -- sh<\/pre>\n\n\n\n<p class=\"has-text-align-justify\">So, as Service Account provides its own secrets which are mounted on top of the pod by default. The location of those credentials are,<\/p>\n\n\n\n<pre class=\"wp-block-verse has-dark-gray-background-color has-text-color has-background\" style=\"color:#33ff76;\"># cd \/var\/run\/secrets\/kubernetes.io\/serviceaccount \n# ls \n# ca.crt    namespace  token<\/pre>\n\n\n\n<p class=\"has-text-align-justify\">Here, we will be using ca.crt &amp; token.<\/p>\n\n\n\n<p class=\"has-text-align-justify\"><strong>ca.crt<\/strong> &#8211; used to make the TLS connection with API Server through curl.<\/p>\n\n\n\n<p><strong>token<\/strong> &#8211; <strong><em>jwt<\/em><\/strong> token, used to authenticate to the cluster.<\/p>\n\n\n\n<p>Through <strong><em>jwt<\/em><\/strong> utility, you can see the contents of the token,<\/p>\n\n\n\n<pre class=\"wp-block-verse has-dark-gray-background-color has-text-color has-background\" style=\"color:#33ff76;\">jwt &lt;token&gt;<\/pre>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2022\/03\/image-1.png?w=1024\" alt=\"\" class=\"wp-image-10106\" width=\"632\" height=\"352\" \/><\/figure>\n\n\n\n<p class=\"has-text-align-justify\">As you can see in the above image that this pod is using the default service account &amp; namespace as well.<\/p>\n\n\n\n<p><strong>STEP 2: <\/strong><\/p>\n\n\n\n<p class=\"has-text-align-justify\">Creating the Service Account but before that, you can check the manifest from the below command.<\/p>\n\n\n\n<pre class=\"wp-block-verse has-dark-gray-background-color has-text-color has-background\" style=\"color:#33ff76;\">kubectl create serviceaccount appsa --dry-run=client -o yaml \n\nOUTPUT: \napiVersion: v1 \nkind: ServiceAccount \nmetadata:  \n   creationTimestamp: null\n   name: appsa\n<\/pre>\n\n\n\n<p>Finally, create the Service Account<\/p>\n\n\n\n<pre class=\"wp-block-verse has-dark-gray-background-color has-text-color has-background\" style=\"color:#33ff76;\">kubectl create serviceaccount appsa<\/pre>\n\n\n\n<p>Checking Service Account,<\/p>\n\n\n\n<pre class=\"wp-block-verse has-dark-gray-background-color has-text-color has-background\" style=\"color:#33ff76;\">kubectl get sa \n\nOUTPUT: \nNAME      SECRETS   AGE \nappsa             1                2s \ndefault          1                18d<\/pre>\n\n\n\n<p class=\"has-text-align-justify\">So whenever we create Service Account, we are also provided with a secret attached to it, to get that<\/p>\n\n\n\n<pre class=\"wp-block-verse has-dark-gray-background-color has-text-color has-background\" style=\"color:#33ff76;\">kubectl get secret \n\nOUTPUT: \n\nNAME                                   TYPE                                                                      DATA     AGE \nappsa-token-fzmbd     kubernetes.io\/service-account-token       3           105s default-token-st8t8   kubernetes.io\/service-account-token         3           18d<\/pre>\n\n\n\n<p class=\"has-text-align-justify\">To get the token, you can use the below command.<\/p>\n\n\n\n<pre class=\"wp-block-verse has-dark-gray-background-color has-text-color has-background\" style=\"color:#33ff76;\">kubectl get secret appsa-token-fzmbd -o yaml<\/pre>\n\n\n\n<p><strong>OUTPUT:<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2022\/03\/image-2.png?w=1024\" alt=\"\" class=\"wp-image-10108\" width=\"632\" height=\"138\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>NOTE: Above image has very critical information so kindly do not share it with anyone else.<\/strong><\/p>\n\n\n\n<p class=\"has-text-align-justify\">Also, you can see that we got the <strong><em>ca.crt, namespace &amp; token<\/em><\/strong>. As we all know that in k8s tokens are base64 encoded, so to decode that we will be using the below command,<\/p>\n\n\n\n<pre class=\"wp-block-verse has-dark-gray-background-color has-text-color has-background\" style=\"color:#33ff76;\">echo &lt;token&gt; | base64 -d \n\n# -d = decode<\/pre>\n\n\n\n<p class=\"has-text-align-justify\">Now you can use the decoded token to get the information by using jwt, as we did earlier also.<\/p>\n\n\n\n<pre class=\"wp-block-verse has-dark-gray-background-color has-text-color has-background\" style=\"color:#33ff76;\">jwt &lt;decoded token&gt;<\/pre>\n\n\n\n<p><strong>STEP 3:<\/strong><\/p>\n\n\n\n<p>Here, we will be creating a <strong><em>deployment.yaml<\/em><\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2022\/03\/deployment.png?w=656\" alt=\"\" class=\"wp-image-10120\" width=\"629\" height=\"980\" \/><\/figure>\n\n\n\n<p>applying it,<\/p>\n\n\n\n<pre class=\"wp-block-verse has-dark-gray-background-color has-text-color has-background\" style=\"color:#33ff76;\">kubectl apply -f deployment.yaml<\/pre>\n\n\n\n<p>Checking,<\/p>\n\n\n\n<pre class=\"wp-block-verse has-dark-gray-background-color has-text-color has-background\" style=\"color:#33ff76;\">kubectl get deploy \n\nOUTPUT: \n\nNAME                        READY      UP-TO-DATE      AVAILABLE     AGE\nsa-deployment         1\/1                      1                                1                  15s<\/pre>\n\n\n\n<p>Now describe the pod which is created from this deployment.<\/p>\n\n\n\n<pre class=\"wp-block-verse has-dark-gray-background-color has-text-color has-background\" style=\"color:#33ff76;\">kubectl describe pod &lt;pod name&gt; \n\nOUTPUT: \n\nMounts:\n            \/var\/run\/secrets\/kubernetes.io\/serviceaccount from appsa-token-fzmbd (ro)<\/pre>\n\n\n\n<p class=\"has-text-align-justify\">As you can see, this pod is automatically mounted with the token of Service Account <strong><em>appsa<\/em><\/strong>.<\/p>\n\n\n\n<p>Now, login into the deployment pod through,<\/p>\n\n\n\n<pre class=\"wp-block-verse has-dark-gray-background-color has-text-color has-background\" style=\"color:#33ff76;\">kubectl exec -it &lt;pod name&gt; sh<\/pre>\n\n\n\n<p>Create a variable for certificate &amp; Token<\/p>\n\n\n\n<pre class=\"wp-block-verse has-dark-gray-background-color has-text-color has-background\" style=\"color:#33ff76;\">CA=\/run\/secrets\/kubernetes.io\/serviceaccount\/ca.crt \n\nTOKEN=$(cat \/run\/secrets\/kubernetes.io\/serviceaccount\/token)<\/pre>\n\n\n\n<p class=\"has-text-align-justify\">Now we will hit the k8s api server with the below GET request,<\/p>\n\n\n\n<pre class=\"wp-block-verse has-dark-gray-background-color has-text-color has-background\" style=\"color:#33ff76;\">curl --cacert $CA -X GET https:\/\/kubernetes\/api --header \"Authorization: Bearer $TOKEN\"\n\nOUTPUT:\n\n{\n  \"kind\": \"APIVersions\",\n  \"versions\": [\n    \"v1\"\n  ],\n  \"serverAddressByClientCIDRs\": [\n    {\n      \"clientCIDR\": \"0.0.0.0\/0\",\n      \"serverAddress\": \"ip-10-0-48-60.us-east-2.compute.internal:443\"\n    }\n  ]\n}<\/pre>\n\n\n\n<p><strong><em>NOTE:<\/em><\/strong> It is recommended to use both CA &amp; Token, but if you don&#8217;t want to use <strong><em>ca.crt<\/em><\/strong> then you can use the option <strong>&#8211;insecure<\/strong> in the curl command.<\/p>\n\n\n\n<p class=\"has-text-align-justify\">Although we can successfully authenticate to the API server, we still don&#8217;t have any kind of access over the cluster. As we all know, access to k8s resources can be provided through RBAC.<\/p>\n\n\n\n<p><strong>STEP 4:<\/strong><br>We will be creating a <strong><em>role.yaml<\/em><\/strong> for the service account. Access is granted only to list out the pods.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2022\/03\/image-3.png?w=730\" alt=\"\" class=\"wp-image-10112\" width=\"629\" height=\"425\" \/><\/figure>\n\n\n\n<p>Apply,<\/p>\n\n\n\n<pre class=\"wp-block-verse has-dark-gray-background-color has-text-color has-background\" style=\"color:#33ff76;\">kubectl apply -f role.yaml<\/pre>\n\n\n\n<p>Now we will create a rolebinding.yaml,<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2022\/03\/image-4.png?w=730\" alt=\"\" class=\"wp-image-10114\" width=\"629\" height=\"459\" \/><\/figure>\n\n\n\n<p>Apply,<\/p>\n\n\n\n<pre class=\"wp-block-verse has-dark-gray-background-color has-text-color has-background\" style=\"color:#33ff76;\">kubectl apply -f rolebinding.yaml<\/pre>\n\n\n\n<p>Now move into the deployment pod &amp; hit the below curl,<\/p>\n\n\n\n<pre class=\"wp-block-verse has-dark-gray-background-color has-text-color has-background\" style=\"color:#33ff76;\">curl --cacert $CA -X GET https:\/\/kubernetes\/api\/v1\/namespaces\/default\/pods --header \"Authorization: Bearer $TOKEN\" | head -n 10<\/pre>\n\n\n\n<p><strong>OUTPUT:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-verse has-dark-gray-background-color has-text-color has-background\" style=\"color:#33ff76;\">  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current\n                                 Dload  Upload   Total   Spent    Left  Speed\n  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0{\n  \"kind\": \"PodList\",\n  \"apiVersion\": \"v1\",\n  \"metadata\": {\n    \"resourceVersion\": \"3561361\"\n  },\n  \"items\": [\n    {\n      \"metadata\": {\n        \"name\": \"sa-deployment-569fd7c496-vh7h2\",\n        \"generateName\": \"sa-deployment-569fd7c496-\",\n        \"namespace\": \"default\",\n        \"uid\": \"94cf84e3-02f8-4191-87a5-48fe93404560\",\n        \"resourceVersion\": \"3539771\",\n        \"creationTimestamp\": \"2022-02-01T09:11:21Z\",\n        \"labels\": {\n          \"app\": \"sa\",\n          \"pod-template-hash\": \"569fd7c496\"\n        },\n        \"annotations\": {\n100  7057    0  7057    0     0   287k      0 --:--:-- --:--:-- --:--:--  287k<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Voila!<\/h3>\n\n\n\n<h3 class=\"wp-block-heading\">Conclusion<\/h3>\n\n\n\n<p class=\"has-text-align-justify\">Service Account comes into the picture mostly when you are running a third-party application into your cluster and that app needs to access other applications running in different namespaces.<\/p>\n\n\n\n<p class=\"has-text-align-justify\">I hope you guys have enjoyed the blog, feel free to submit any feedback or suggestions, I&#8217;ll be happy to work on it.<\/p>\n\n\n\n<p>Happy Learning \ud83d\ude0a <\/p>\n\n\n\n<p><br><strong style=\"font-weight:bold;\">Blog Pundit:<\/strong> <a href=\"https:\/\/opstree.com\/blog\/\/author\/bhupendersinghb5dca0b393\/\"><strong>Bhupender Rawat<\/strong><\/a>, <a href=\"https:\/\/opstree.com\/blog\/\/author\/adeel109\/\"><strong>Adeel<\/strong> <strong>Ahmad<\/strong><\/a> and <a rel=\"noreferrer noopener\" href=\"https:\/\/opstree.com\/blog\/\/author\/sandeep7c51ad81ba\/\" target=\"_blank\"><strong>Sandeep Rawat<\/strong><\/a><\/p>\n\n\n\n<p><strong><a href=\"https:\/\/www.opstree.com\/contact-us?utm_source=blog&amp;utm_medium=wordpress+&amp;utm_campaign=Know-the-Role-of-K8S-Service-Account-in-Granting-Access\">Opstree<\/a><\/strong><a rel=\"noreferrer noopener\" href=\"https:\/\/www.opstree.com\/contact-us?utm_source=blog&amp;utm_medium=wordpress+&amp;utm_campaign=AWS-Elastic-Network-Interface\" target=\"_blank\"> <\/a>is an End to End DevOps solution provider<\/p>\n\n\n\n<div class=\"wp-block-buttons is-layout-flex wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button is-style-fill\"><a class=\"wp-block-button__link\" href=\"https:\/\/www.opstree.com\/contact-us\" target=\"_blank\" rel=\"noreferrer noopener\">CONTACT US<\/a><\/div>\n<\/div>\n\n\n\n<p class=\"has-text-align-center\"><strong>Connect Us <\/strong><\/p>\n\n\n\n<ul class=\"wp-block-social-links aligncenter is-content-justification-right is-layout-flex wp-container-core-social-links-is-layout-1 wp-block-social-links-is-layout-flex\"><li class=\"wp-social-link wp-social-link-linkedin  wp-block-social-link\"><a href=\"https:\/\/www.linkedin.com\/company\/opstree-solutions\" class=\"wp-block-social-link-anchor\" target=\"_blank\" rel=\"noopener\"><svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" version=\"1.1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\" focusable=\"false\"><path d=\"M19.7,3H4.3C3.582,3,3,3.582,3,4.3v15.4C3,20.418,3.582,21,4.3,21h15.4c0.718,0,1.3-0.582,1.3-1.3V4.3 C21,3.582,20.418,3,19.7,3z M8.339,18.338H5.667v-8.59h2.672V18.338z M7.004,8.574c-0.857,0-1.549-0.694-1.549-1.548 c0-0.855,0.691-1.548,1.549-1.548c0.854,0,1.547,0.694,1.547,1.548C8.551,7.881,7.858,8.574,7.004,8.574z M18.339,18.338h-2.669 v-4.177c0-0.996-0.017-2.278-1.387-2.278c-1.389,0-1.601,1.086-1.601,2.206v4.249h-2.667v-8.59h2.559v1.174h0.037 c0.356-0.675,1.227-1.387,2.526-1.387c2.703,0,3.203,1.779,3.203,4.092V18.338z\"><\/path><\/svg><span class=\"wp-block-social-link-label screen-reader-text\">LinkedIn<\/span><\/a><\/li>\n\n<li class=\"wp-social-link wp-social-link-youtube  wp-block-social-link\"><a href=\"https:\/\/www.youtube.com\/channel\/UCeLma6SpNYH7jjYKSBNSexw\" class=\"wp-block-social-link-anchor\" target=\"_blank\" rel=\"noopener\"><svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" version=\"1.1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\" focusable=\"false\"><path d=\"M21.8,8.001c0,0-0.195-1.378-0.795-1.985c-0.76-0.797-1.613-0.801-2.004-0.847c-2.799-0.202-6.997-0.202-6.997-0.202 h-0.009c0,0-4.198,0-6.997,0.202C4.608,5.216,3.756,5.22,2.995,6.016C2.395,6.623,2.2,8.001,2.2,8.001S2,9.62,2,11.238v1.517 c0,1.618,0.2,3.237,0.2,3.237s0.195,1.378,0.795,1.985c0.761,0.797,1.76,0.771,2.205,0.855c1.6,0.153,6.8,0.201,6.8,0.201 s4.203-0.006,7.001-0.209c0.391-0.047,1.243-0.051,2.004-0.847c0.6-0.607,0.795-1.985,0.795-1.985s0.2-1.618,0.2-3.237v-1.517 C22,9.62,21.8,8.001,21.8,8.001z M9.935,14.594l-0.001-5.62l5.404,2.82L9.935,14.594z\"><\/path><\/svg><span class=\"wp-block-social-link-label screen-reader-text\">YouTube<\/span><\/a><\/li>\n\n<li class=\"wp-social-link wp-social-link-github  wp-block-social-link\"><a href=\"https:\/\/github.com\/OpsTree\" class=\"wp-block-social-link-anchor\" target=\"_blank\" rel=\"noopener\"><svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" version=\"1.1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\" focusable=\"false\"><path d=\"M12,2C6.477,2,2,6.477,2,12c0,4.419,2.865,8.166,6.839,9.489c0.5,0.09,0.682-0.218,0.682-0.484 c0-0.236-0.009-0.866-0.014-1.699c-2.782,0.602-3.369-1.34-3.369-1.34c-0.455-1.157-1.11-1.465-1.11-1.465 c-0.909-0.62,0.069-0.608,0.069-0.608c1.004,0.071,1.532,1.03,1.532,1.03c0.891,1.529,2.341,1.089,2.91,0.833 c0.091-0.647,0.349-1.086,0.635-1.337c-2.22-0.251-4.555-1.111-4.555-4.943c0-1.091,0.39-1.984,1.03-2.682 C6.546,8.54,6.202,7.524,6.746,6.148c0,0,0.84-0.269,2.75,1.025C10.295,6.95,11.15,6.84,12,6.836 c0.85,0.004,1.705,0.114,2.504,0.336c1.909-1.294,2.748-1.025,2.748-1.025c0.546,1.376,0.202,2.394,0.1,2.646 c0.64,0.699,1.026,1.591,1.026,2.682c0,3.841-2.337,4.687-4.565,4.935c0.359,0.307,0.679,0.917,0.679,1.852 c0,1.335-0.012,2.415-0.012,2.741c0,0.269,0.18,0.579,0.688,0.481C19.138,20.161,22,16.416,22,12C22,6.477,17.523,2,12,2z\"><\/path><\/svg><span class=\"wp-block-social-link-label screen-reader-text\">GitHub<\/span><\/a><\/li>\n\n<li class=\"wp-social-link wp-social-link-facebook  wp-block-social-link\"><a href=\"https:\/\/www.facebook.com\/opstree\" class=\"wp-block-social-link-anchor\" target=\"_blank\" rel=\"noopener\"><svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" version=\"1.1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\" focusable=\"false\"><path d=\"M12 2C6.5 2 2 6.5 2 12c0 5 3.7 9.1 8.4 9.9v-7H7.9V12h2.5V9.8c0-2.5 1.5-3.9 3.8-3.9 1.1 0 2.2.2 2.2.2v2.5h-1.3c-1.2 0-1.6.8-1.6 1.6V12h2.8l-.4 2.9h-2.3v7C18.3 21.1 22 17 22 12c0-5.5-4.5-10-10-10z\"><\/path><\/svg><span class=\"wp-block-social-link-label screen-reader-text\">Facebook<\/span><\/a><\/li>\n\n<li class=\"wp-social-link wp-social-link-medium  wp-block-social-link\"><a href=\"https:\/\/medium.com\/buildpiper\" class=\"wp-block-social-link-anchor\" target=\"_blank\" rel=\"noopener\"><svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" version=\"1.1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\" focusable=\"false\"><path d=\"M20.962,7.257l-5.457,8.867l-3.923-6.375l3.126-5.08c0.112-0.182,0.319-0.286,0.527-0.286c0.05,0,0.1,0.008,0.149,0.02 c0.039,0.01,0.078,0.023,0.114,0.041l5.43,2.715l0.006,0.003c0.004,0.002,0.007,0.006,0.011,0.008 C20.971,7.191,20.98,7.227,20.962,7.257z M9.86,8.592v5.783l5.14,2.57L9.86,8.592z M15.772,17.331l4.231,2.115 C20.554,19.721,21,19.529,21,19.016V8.835L15.772,17.331z M8.968,7.178L3.665,4.527C3.569,4.479,3.478,4.456,3.395,4.456 C3.163,4.456,3,4.636,3,4.938v11.45c0,0.306,0.224,0.669,0.498,0.806l4.671,2.335c0.12,0.06,0.234,0.088,0.337,0.088 c0.29,0,0.494-0.225,0.494-0.602V7.231C9,7.208,8.988,7.188,8.968,7.178z\"><\/path><\/svg><span class=\"wp-block-social-link-label screen-reader-text\">Medium<\/span><\/a><\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Have you ever wondered that when you access the API Server through kubectl you are authenticated through the API controller, but how will you do the same from the pod side? Here the Service Account role comes into play. As k8s definition itself says &#8220;Processes in containers inside pods can also contact the apiserver. When &hellip; <a href=\"https:\/\/opstree.com\/blog\/2022\/04\/12\/know-the-role-of-k8s-service-account-in-granting-access\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Know the Role of K8S Service Account in Granting Access&#8221;<\/span><\/a><\/p>\n","protected":false},"author":211160191,"featured_media":29900,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[28070474],"tags":[1301809,460,32466874,768739309,644981271,6415054,4996032],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/11\/DevSecOps-1.jpg","jetpack_likes_enabled":true,"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pfDBOm-2CR","jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts\/10097"}],"collection":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/users\/211160191"}],"replies":[{"embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/comments?post=10097"}],"version-history":[{"count":23,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts\/10097\/revisions"}],"predecessor-version":[{"id":10437,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts\/10097\/revisions\/10437"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/media\/29900"}],"wp:attachment":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/media?parent=10097"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/categories?post=10097"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/tags?post=10097"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}