5.2.2.4. Service Account

In Kubernetes, ServiceAccount is a mechanism that allows applications within the cluster to authenticate when accessing the API server. The private key specified in kube-apiserver and kube-controller-manager is used for signing tokens of these accounts. This ensures secure and verifiable interaction between services and provides the ability for granular access control.

This section creates or connects the key used by Kubernetes to sign ServiceAccount tokens.

Init
Join

Creating ServiceAccount signing key

● Required

HardWay
Kubeadm

openssl genpkey \
  -algorithm RSA \
  -out /etc/kubernetes/pki/sa.key \
  -pkeyopt rsa_keygen_bits:2048

openssl rsa \
  -pubout \
  -in /etc/kubernetes/pki/sa.key \
  -out /etc/kubernetes/pki/sa.pub

kubeadm init phase certs sa

Command output

After executing the commands, we get the following output.

#### Kube API certificate generation
[certs] Generating "sa" key and public key

Connecting ServiceAccount signing key

● Required

Note

The join phase does not generate a key, but uses the key obtained through the CA download phase.

Make sure you have completed the step:

CA Download