1. How many Service Accounts exist in the default namespace?
controlplane ~ ➜ k get serviceaccounts
NAME SECRETS AGE
default 0 12m
dev 0 31s
answer : 2
2. What is the secret token used by the default service account?
controlplane ~ ➜ kubectl describe serviceaccount default
Name: default
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: <none>
Tokens: <none>
Events: <none>
answer : none
3. We just deployed the Dashboard application. Inspect the deployment. What is the image used by the deployment?
controlplane ~ ➜ k get deployments.apps
NAME READY UP-TO-DATE AVAILABLE AGE
web-dashboard 1/1 1 1 5m31s
controlplane ~ ➜ k describe deployments.apps web-dashboard
Name: web-dashboard
Namespace: default
CreationTimestamp: Sun, 28 Jul 2024 07:35:42 +0000
Labels: <none>
Annotations: deployment.kubernetes.io/revision: 1
Selector: name=web-dashboard
Replicas: 1 desired | 1 updated | 1 total | 1 available | 0 unavailable
StrategyType: RollingUpdate
MinReadySeconds: 0
RollingUpdateStrategy: 25% max unavailable, 25% max surge
Pod Template:
Labels: name=web-dashboard
Containers:
web-dashboard:
Image: gcr.io/kodekloud/customimage/my-kubernetes-dashboard
answer : gcr.io/kodekloud/customimage/my-kubernetes-dashboard
4. Wait for the deployment to be ready. Access the custom-dashboard by clicking on the link to dashboard portal.
5. What is the state of the dashboard? Have the pod details loaded successfully?
answer : Failed
6. What type of account does the Dashboard application use to query the Kubernetes API?
answer : Service Account
7. Which account does the Dashboard application use to query the Kubernetes API?
answer : default
8. Inspect the Dashboard Application POD and identify the Service Account mounted on it.
controlplane ~ ✖ kubectl get po -o yaml
apiVersion: v1
items:
- apiVersion: v1
kind: Pod
metadata:
creationTimestamp: "2024-07-28T07:35:42Z"
generateName: web-dashboard-6cbbc88b59-
labels:
name: web-dashboard
pod-template-hash: 6cbbc88b59
name: web-dashboard-6cbbc88b59-zp2mm
namespace: default
ownerReferences:
- apiVersion: apps/v1
blockOwnerDeletion: true
controller: true
kind: ReplicaSet
name: web-dashboard-6cbbc88b59
uid: 3aaa20ac-82c2-4675-a8c1-a9d203684ce1
resourceVersion: "933"
uid: adec5d7f-f5ee-4dab-be46-026d0bc14d22
spec:
containers:
- env:
- name: PYTHONUNBUFFERED
value: "1"
image: gcr.io/kodekloud/customimage/my-kubernetes-dashboard
imagePullPolicy: Always
name: web-dashboard
ports:
- containerPort: 8080
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-dhfts
readOnly: true
answer : default
9. At what location is the ServiceAccount credentials available within the pod?
controlplane ~ ✖ kubectl describe pod
Name: web-dashboard-6cbbc88b59-zp2mm
Namespace: default
Priority: 0
Service Account: default
Node: controlplane/192.11.61.8
Start Time: Sun, 28 Jul 2024 07:35:42 +0000
Labels: name=web-dashboard
pod-template-hash=6cbbc88b59
Annotations: <none>
Status: Running
IP: 10.42.0.9
IPs:
IP: 10.42.0.9
Controlled By: ReplicaSet/web-dashboard-6cbbc88b59
Containers:
web-dashboard:
Container ID: containerd://801544564fd8d951f1c127cd4b98a54b182e87f4638c57c305484a8427e93f77
Image: gcr.io/kodekloud/customimage/my-kubernetes-dashboard
Image ID: gcr.io/kodekloud/customimage/my-kubernetes-dashboard@sha256:7d70abe342b13ff1c4242dc83271ad73e4eedb04e2be0dd30ae7ac8852193069
Port: 8080/TCP
Host Port: 0/TCP
State: Running
Started: Sun, 28 Jul 2024 07:35:46 +0000
Ready: True
Restart Count: 0
Environment:
PYTHONUNBUFFERED: 1
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount
answer : /var/run/secrets
10. The application needs a ServiceAccount with the Right permissions to be created to authenticate to Kubernetes. The default ServiceAccount has limited access. Create a new ServiceAccount named dashboard-sa.
controlplane ~ ➜ kubectl create serviceaccount dashboard-sa
serviceaccount/dashboard-sa created
11. We just added additional permissions for the newly created dashboard-sa account using RBAC. If you are interested checkout the files used to configure RBAC at /var/rbac. We will discuss RBAC in a separate section.
12. Enter the access token in the UI of the dashboard application. Click Load Dashboard button to load Dashboard Create an authorization token for the newly created service account, copy the generated token and paste it into the token field of the UI. To do this, run kubectl create token dashboard-sa for the dashboard-sa service account, copy the token and paste it in the UI.
13. You shouldn't have to copy and paste the token each time. The Dashboard application is programmed to read token from the secret mount location. However currently, the default service account is mounted. Update the deployment to use the newly created ServiceAccount Edit the deployment to change ServiceAccount from default to dashboard-sa.
apiVersion: apps/v1
kind: Deployment
metadata:
name: web-dashboard
namespace: default
spec:
replicas: 1
selector:
matchLabels:
name: web-dashboard
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
name: web-dashboard
spec:
serviceAccountName: dashboard-sa
containers:
- image: gcr.io/kodekloud/customimage/my-kubernetes-dashboard
imagePullPolicy: Always
name: web-dashboard
ports:
- containerPort: 8080
protocol: TCP
14. Refresh the Dashboard application UI and you should now see the PODs listed automatically. This time you shouldn't have to put in the token manually.
'IT 기술 > k8s' 카테고리의 다른 글
| [cka] Security Contexts (0) | 2024.07.28 |
|---|---|
| [cka] Image Security (0) | 2024.07.28 |
| [cka] Cluster Roles (0) | 2024.07.28 |
| [cka] Role Based Access Controls (0) | 2024.07.19 |
| [cka] KubeConfig (0) | 2024.07.19 |
댓글