ca.crt: ( LOT OF DATA ) namespace: ZGVmYXVsdA== token: ( JSON web token signed by API server) kind: Secret type: kubernetes.io/service-account-token metadata: # ... Users in Kubernetes: service accounts
(and an associated user) for talking to the API server. • Only way to create users through the API. ◦ Credentials stored in secrets, be careful! • Can be used from outside the cluster. Users in Kubernetes: service accounts
subject, verb, resource, and namespace. ◦ User A can create pods in namespace B. • Cannot: ◦ Refer to a single object in a namespace. ◦ Refer to arbitrary fields in a resource. • Can: ◦ Refer to subresources (e.g. nodes/status)
the power of a role to bind a user to that role. ◦ If you don’t have the ability to create secrets, you can’t give someone else that power. • Currently get around this with a bootstrapping flag that lets a user sidestep this.