Understanding service account token volume projection in Kubernetes
This is the second post of my series of posts where I discuss security in Kubernetes. In the first post, I wrote about service accounts, what they are made up of and their usage.
As mentioned in the first post a service account is made up of a secret. This secret contains a ca.crt
file and a jwt
token. This token is then mounted into the pod. The pod uses this token as a Bearer
token to authenticate its API requests to the API server. While a service account solves the problem of communication between a pod and the API server, there was a need to solve the problem of communication between two different pods running in a cluster.
In Kubernetes 1.2 a new feature was introduced Service Account Token Volume Projection. This feature allows a token issued by the TokenRequest
API of Kubernetes to be mounted into the pod as a projected volume. Unlike the service Account token, this token will have an expiry time. This token will also have additional fields of issuer
and audience
. The issuer
field will refer to the issuing service that has issued the token, in the above setup this will be api
however we can configure an external issuing source. The audience
field will refer to the service that will consume this token. This means that the pod will use this particular token to talk to only a selected number of services in the cluster.
The creating and projection of the service account token is managed by a volume plugin implemented in the kubelet
. As the toke approaches expiration, the kubelet
volume plugin will rotate the service account token.
Service Account Token Volume Projection is mounted into a pod as projected volume.
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /var/run/secrets/tokens
name: vault-token
serviceAccountName: build-robot
volumes:
- name: vault-token
projected:
sources:
- serviceAccountToken:
path: vault-token
expirationSeconds: 7200
audience: vault
A projected volume enables us to mount into a single directory, volumes from several existing volume sources. The reason that we use a projected volume is that a pod can have different tokens for communication with different services in the cluster.
Conclusion
Service account token volume projection is a feature that builds over the mechanism of the service account. It allows inter-pod communications in a cluster, which is an important requirement of modern applications that primarily based on microservices architecture. This feature is designed as such that we can plugin external services such as Google to the Kubernetes cluster to consume their authentication system.
If you enjoyed reading this blog post, please press the follow button to follow me. This way you will get notified about new interesting posts I publish. Thanks