Accessing k8s cluster with service account token

0
votes

Is possible to gain k8s cluster access with serviceaccount token?

My script does not have access to a kubeconfig file, however, it does have access to the service account token at /var/run/secrets/kubernetes.io/serviceaccount/token.

Here are the steps I tried but it is not working.

  1. kubectl config set-credentials sa-user --token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
  2. kubectl config set-context sa-context --user=sa-user

but when the script ran "kubectl get rolebindings" I get the following error: Error from server (Forbidden): rolebindings.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:test:default" cannot list resource "rolebindings" in API group "rbac.authorization.k8s.io" in the namespace "test"

2
kubernetesdeployment

2 Answers

2
votes

Is possible to gain k8s cluster access with serviceaccount token?

Certainly, that's the point of a ServiceAccount token. The question you appear to be asking is "why does my default ServiceAccount not have all the privileges I want", which is a different problem. One will benefit from reading the fine manual on the topic

If you want the default SA in the test NS to have privileges to read things in its NS, you must create a Role scoped to that NS and then declare the relationship explicitly. SAs do not automatically have those privileges

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  namespace: test
  name: test-default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: whatever-role-you-want
subjects:
- kind: ServiceAccount
  name: default
  namespace: test

but when the script ran "kubectl get pods" I get the following error: Error from server (Forbidden): rolebindings.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:test:default" cannot list resource "rolebindings" in API group "rbac.authorization.k8s.io" in the namespace "test"

Presumably you mean you can kubectl get rolebindings, because I would not expect running kubectl get pods to emit that error

1
votes

Yes, it is possible. For instance, if you login K8S dashboard via token it does use the same way.

Follow these steps;

Create a service account

$ kubectl -n <your-namespace-optional> create serviceaccount <service-account-name>

A role binding grants the permissions defined in a role to a user or set of users. You can use a predefined role or you can create your own. Check this link for more info. https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-example

$ kubectl create clusterrolebinding <binding-name> --clusterrole=cluster-admin --serviceaccount=<namespace>:<service-account-name>

Get the token name

$ TOKENNAME=`kubectl -n <namespace> get serviceaccount/<service-account-name> -o jsonpath='{.secrets[0].name}'`

Finally, get the token and set the credentials

$ kubectl -n <namespace> get secret $TOKENNAME -o jsonpath='{.data.token}'| base64 --decode
$ kubectl config set-credentials <service-account-name> --token=<output from previous command>
$ kubectl config set-context --current --user=<service-account-name>

If you follow these steps carefully your problem will be solved.