From 3da23fc47609ff5845a43e6f645147cbb7854c5a Mon Sep 17 00:00:00 2001 From: Mischa van den Burg Date: Fri, 5 Apr 2024 10:00:00 +0200 Subject: [PATCH] Automated commit at Fri Apr 5 10:00:00 CEST 2024 --- content/CKS.md | 44 ++++++++++---------- content/RBAC.md | 9 ---- content/Service Account Tokens & Mounting.md | 33 +++++++++++++++ 3 files changed, 54 insertions(+), 32 deletions(-) create mode 100644 content/Service Account Tokens & Mounting.md diff --git a/content/CKS.md b/content/CKS.md index 51bef784d..d650b69a4 100644 --- a/content/CKS.md +++ b/content/CKS.md @@ -6,29 +6,27 @@ # Notes -## Containers - -[[User Space and Kernel Space]] - -[[Containerized applications can do syscalls directly to the Linux Kernel]] - -[[Linux Kernel also has namespaces for isolation]] - -[[Container Isolation]] - -[[Podman and docker commands are exactly the same]] - -## Networking - -[[Network Policies]] - -[[Generating TLS certificate for testing on Kubernetes]] - -## Certificates - -[[Kubernetes users are simply holders of TLS Certificates]] - - +- [[Containers]] + - [[User Space and Kernel Space]] + - [[Containerized applications can do syscalls directly to the Linux Kernel]] + - [[Linux Kernel also has namespaces for isolation]] + - [[Container Isolation]] + - [[Podman and docker commands are exactly the same]] +- [[Networking]] + - [[Network Policies]] + - [[Generating TLS certificate for testing on Kubernetes]] +- [[Certificates]] + - [[Kubernetes users are simply holders of TLS Certificates]] +- [[RBAC]] + - [[There are no Deny rules in Kubernetes RBAC]] + - [[ClusterRoles can be applied to one or more namespaces]] + - [[RBAC permissions are additive]] + - [[Users do not live in the cluster as resources]] + + - [[Service Accounts]] + - [[ServiceAccounts are only used by non-humans]] + - [[Service Account Tokens & Mounting]] + ## Other [[CKS Tips from Sander]] diff --git a/content/RBAC.md b/content/RBAC.md index a698c92f6..c048cacfb 100644 --- a/content/RBAC.md +++ b/content/RBAC.md @@ -1,13 +1,4 @@ -[[There are no Deny rules in Kubernetes RBAC]] - -[[ClusterRoles can be applied to one or more namespaces]] - -[[RBAC permissions are additive]] - -[[ServiceAccounts are only used by non-humans]] - -[[Users do not live in the cluster as resources]] ## Links: diff --git a/content/Service Account Tokens & Mounting.md b/content/Service Account Tokens & Mounting.md new file mode 100644 index 000000000..299dbbe50 --- /dev/null +++ b/content/Service Account Tokens & Mounting.md @@ -0,0 +1,33 @@ + +Each Service Account receives a token which is mounted in the pod at + +`/var/run/secrets/kubernetes.io/serviceaccount` + +You can cat the token and inspect it at [JSON Web Tokens - jwt.io](https://jwt.io/) + +The auto mounting can be disabled by configuring either the Service account or the pod as follows: + +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: build-robot +automountServiceAccountToken: false +``` + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: my-pod +spec: + serviceAccountName: build-robot + automountServiceAccountToken: false + ... +``` + +## Links: + + + +202404050951 \ No newline at end of file