Container Service for Kubernetes:Use ServiceAccount token volume projection

Prerequisites

• An ACK managed cluster, ACK dedicated cluster, or ACK Serverless cluster that runs Kubernetes 1.20 or later is created. For more information, see Create an ACK managed cluster, Create an ACK dedicated cluster, and Create an ACK Serverless cluster.

• The ServiceAccount token volume projection feature is enabled during the cluster creation process.

  By default, the ServiceAccount token volume projection feature is enabled in clusters that run Kubernetes 1.22 or later. To upgrade the cluster, see Manually update ACK clusters.

  The API server and controller-manager of system components automatically enable the feature gate for binding ServiceAccount token volume projection, and add the following configuration in the startup parameters of the API server.

  Parameter	Description	Default value	Console configuration
  service-account-issuer	The issuer of the ServiceAccount token, which corresponds to the iss field in the token payload.	https://kubernetes.default.svc	Supported.
  api-audiences	The identifiers of the API, used to validate the request tokens for the API server service.	https://kubernetes.default.svc	Supported. More than one audience can be configured, separated by commas (,).
  service-account-signing-key-file	The file path of the private key that signs the token.	/etc/kubernetes/pki/sa.key	Not supported. Default value: /etc/kubernetes/pki/sa.key.

Step 1: Create a ServiceAccount object

By default, each namespace comes with a default ServiceAccount, which you can view by running the kubectl get serviceaccounts command. To assign additional identities to processes running in the pod, you can create a new ServiceAccount by using the following code:

kubectl apply -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-robot
EOF

After the ServiceAccount is created, you can view the complete information of the ServiceAccount by running the kubectl get serviceaccounts/build-robot -o yaml command.

Step 2: Deploy a pod application that uses ServiceAccount token volume projection

You can project the ServiceAccount into a pod as a volume, allowing the container in the pod to use the token to access the API server of the cluster and authenticate with the ServiceAccount. For example, you can specify the audience, expiration time (expirationSeconds), and other properties of the token, and project these into an application that runs in the pod.

1. Create a file named nginx.yaml with the following sample code. This configuration specifies that the pod uses a ServiceAccount with an audience of vault and an expiration time of 2 hours.

   apiVersion: v1
   kind: Pod
   metadata:
     name: nginx
   spec:
     containers:
     - image: nginx
       name: nginx
       volumeMounts:
       - mountPath: /var/run/secrets/tokens
         name: vault-token
     serviceAccountName: build-robot
     volumes:
     - name: vault-token
       projected:
         sources:
         - serviceAccountToken:
             path: vault-token
             expirationSeconds: 7200
             audience: vault

2. Run the following command to deploy an application running in the pod that uses volume projection:

   kubectl apply -f nginx.yaml

3. Verify the expiration time of the token mounted in the pod.

   1. Run the following command to confirm that the pod runs as expected:

      kubectl get pod nginx

      Expected output:

      NAME    READY   STATUS    RESTARTS   AGE
      nginx   1/1     Running   0          3m15s

   2. Download the token mounted in the container of the pod:

      kubectl exec -t nginx -- cat /var/run/secrets/tokens/vault-token > vault-token

   3. Run the following command to get the token expiration time:

      cat vault-token |awk -F '.' '{print $2}' |base64 -d 2>/dev/null |jq  '.exp' | xargs -I {} date -d @{}

      Sample output:

      Mon  Aug 26 15:45:59 CST 2024