Improved demos

nicholasdille · Nov 13, 2024 · 8847957 · 8847957
1 parent e7cf8f1
commit 8847957
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 12 deletions.
diff --git a/120_kubernetes/rbac/service_account.md b/120_kubernetes/rbac/service_account.md
@@ -22,28 +22,42 @@ Service account `default` does not have any (Cluster)Role
 
 No need to access Kubernetes API?
 
-Disable token mounting in `Pod`:
+Disable token mounting in the `pod`:
 
-```yaml [2,7]
+```yaml [2,6]
 apiVersion: v1
 kind: Pod
 metadata:
   name: foo
 spec:
-  serviceAccountName: foo
   automountServiceAccountToken: false
 #...
 ```
 
+---
+
+## Prevent token mounting 2/
+
+Disable token mounting in the service account:
+
+```yaml [2,5]
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: foo-noautomount
+automountServiceAccountToken: false
+#...
+```
+
 ### DEMO [<i class="fa fa-comment-code"></i>](https://github.com/nicholasdille/container-slides/blob/master/120_kubernetes/rbac/service_account_automount.runme.md "service_account_automount.runme.md")
 
 ---
 
-## Prevent token mounting 2/2
+## Prevent token mounting 3/3
 
 Can be overridden in the pod spec:
 
-```yaml [2,6]
+```yaml [2,6-7]
 apiVersion: v1
 kind: Pod
 metadata:

diff --git a/120_kubernetes/rbac/service_account_automount.runme.md b/120_kubernetes/rbac/service_account_automount.runme.md
@@ -8,13 +8,19 @@ Show kubernetes service
 kubectl get service kubernetes
 ```
 
-Create sa
+Create sa and deny automounting
 
 ```sh
-kubectl create sa foo
+cat <<EOF | kubectl apply -f -
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: foo-noautomount
+automountServiceAccountToken: false
+EOF
 ```
 
-Create pod with service account
+Create pod with the service account
 
 ```sh
 cat <<EOF | kubectl apply -f -
@@ -23,7 +29,30 @@ kind: Pod
 metadata:
   name: foo-automount
 spec:
-  serviceAccountName: foo
+  serviceAccountName: foo-noautomount
+  containers:
+  - name: nginx
+    image: nginx:stable
+EOF
+```
+
+Check that the service account is not mounted
+
+```sh
+kubectl exec -it foo-automount -- mount | grep secrets || true
+kubectl exec -it foo-automount -- ls -l /run/secrets/kubernetes.io/serviceaccount || true
+```
+
+Enforce automounting the service account
+
+```sh
+cat <<EOF | kubectl apply -f -
+apiVersion: v1
+kind: Pod
+metadata:
+  name: foo-enforce
+spec:
+  serviceAccountName: foo-noautomount
   automountServiceAccountToken: true
   containers:
   - name: nginx
@@ -34,13 +63,14 @@ EOF
 Check automounted service account
 
 ```sh
-kubectl exec -it foo-automount -- mount | grep secrets
-kubectl exec -it foo-automount -- ls -l /run/secrets/kubernetes.io/serviceaccount
+kubectl exec -it foo-enforce -- mount | grep secrets || true
+kubectl exec -it foo-enforce -- ls -l /run/secrets/kubernetes.io/serviceaccount || true
 ```
 
 Create pod without service account
 
 ```sh
+kubectl create sa foo
 cat <<EOF | kubectl apply -f -
 apiVersion: v1
 kind: Pod
@@ -58,5 +88,5 @@ EOF
 Check for service account
 
 ```sh
-kubectl exec -it foo-noautomount -- mount | grep secrets
+kubectl exec -it foo-noautomount -- mount | grep secrets || true
 ```