{"id":22588,"date":"2024-05-19T00:30:15","date_gmt":"2024-05-18T21:30:15","guid":{"rendered":"https:\/\/kifarunix.com\/?p=22588"},"modified":"2024-05-20T19:39:33","modified_gmt":"2024-05-20T16:39:33","slug":"kubernetes-user-management-creating-users-groups-and-service-accounts","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/kubernetes-user-management-creating-users-groups-and-service-accounts\/","title":{"rendered":"Kubernetes User Management: Creating Users, Groups and Service Accounts"},"content":{"rendered":"\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1070\" height=\"600\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/05\/kubernetes-user-accounts.png?v=1716067659\" alt=\"Creating Users in Kubernetes\" class=\"wp-image-22614\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/05\/kubernetes-user-accounts.png?v=1716067659 1070w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/05\/kubernetes-user-accounts-768x431.png?v=1716067659 768w\" sizes=\"(max-width: 1070px) 100vw, 1070px\" \/><\/figure>\n\n\n\n<p>In this blog post, we will take you through Kubernetes user management: creating users, groups and service accounts. Kubernetes came with one mission, to revolutionize how containers are orchestrated. With all this power, there comes a greater responsibility! As a result, securing your Kubernetes cluster is essential, and user management plays a crucial role. This blog post delves into creating users, groups, and service accounts \u2013 the building blocks for secure access control within your cluster.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#understanding-kubernetes-user-management\">Understanding Kubernetes User Management<\/a><ul><li><a href=\"#creating-users-in-kubernetes\">Creating Users in Kubernetes<\/a><ul><li><a href=\"#kubernetes-authentication-strategies\">Kubernetes Authentication Strategies<\/a><\/li><li><a href=\"#create-x-509-client-certificates-for-normal-user-accounts\">Create X509 Client Certificates for Normal User Accounts<\/a><\/li><li><a href=\"#add-users-credentials-to-kubeconfig\">Add User&#8217;s Credentials to Kubeconfig<\/a><\/li><li><a href=\"#listing-users-in-kubernetes\">Listing Users in Kubernetes<\/a><\/li><li><a href=\"#set-a-context-for-kubernetes-user\">Set a Context for Kubernetes User<\/a><\/li><li><a href=\"#switch-to-kubernetes-users-context\">Switch to Kubernetes User&#8217;s Context<\/a><\/li><li><a href=\"#deleting-user-accounts\">Deleting User Accounts<\/a><\/li><\/ul><\/li><li><a href=\"#creating-groups-in-kubernetes\">Creating Groups in Kubernetes<\/a><\/li><li><a href=\"#creating-service-accounts-in-kubernetes-cluster\">Creating Service Accounts in Kubernetes Cluster<\/a><ul><li><a href=\"#create-service-accounts\">Create Service Accounts<\/a><\/li><li><a href=\"#listing-service-accounts\">Listing Service Accounts<\/a><\/li><li><a href=\"#get-service-account-details\">Get Service Account Details<\/a><\/li><li><a href=\"#deleting-service-accounts\">Deleting Service Accounts<\/a><\/li><\/ul><\/li><li><a href=\"#assign-users-groups-and-service-account-roles\">Assign Users, Groups and Service Account Roles<\/a><\/li><li><a href=\"#further-reading\">Further Reading<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"understanding-kubernetes-user-management\">Understanding Kubernetes User Management<\/h2>\n\n\n\n<p>Every request made to an API server in a Kubernetes cluster has to be authenticated. Access to every resource in the cluster is controlled through Role-Based access control (RBAC), a framework which assigns users and services specific roles for their specific tasks.<\/p>\n\n\n\n<p>To read more on RBAC, you can check the guide below;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/introduction-to-role-based-access-control-rbac-in-kubernetes\/\" target=\"_blank\" rel=\"noreferrer noopener\">Introduction to Role-Based Access Control (RBAC) in Kubernetes<\/a><\/p>\n\n\n\n<p>User management involves creating identities that can be used to interact with the cluster. The identities include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Users:<\/strong> Users are individual humans that can access Kubernetes API server for tasks like managing the cluster.<\/li>\n\n\n\n<li><strong>Groups:<\/strong> Collections of users with similar roles or responsibilities. Groups simplify the assignment and control of roles in the cluster.<\/li>\n\n\n\n<li><strong>Service Accounts:<\/strong> Service accounts are non-human identities used by applications running within the cluster to access specific resources without requiring explicit user credentials.<\/li>\n<\/ul>\n\n\n\n<p>In RBAC, we call these, RBAC subjects.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"creating-users-in-kubernetes\">Creating Users in Kubernetes<\/h3>\n\n\n\n<p> <em>Kubernetes does not have objects which represent normal user accounts<\/em> and as such, unlike <strong>service accounts<\/strong>, they cannot be added to the cluster through an API call, but rather, need to be created by the cluster administrator who then shares the credentials to the real users.<\/p>\n\n\n\n<p>Kubernetes provides a command line tool, <strong>kubectl<\/strong>, that can be used to control the Kubernetes cluster manager. This command can be used in creating Kubernetes users.<\/p>\n\n\n\n<p>If you have a running Kubernetes cluster, then you should already have the <strong>kubectl<\/strong> command installed.<\/p>\n\n\n\n<p>You can check out our guides on <a href=\"https:\/\/kifarunix.com\/?s=setup+kubernetes+cluster\" target=\"_blank\" rel=\"noreferrer noopener\">how to setup a Kubernetes cluster<\/a> if you haven&#8217;t set it up already.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"kubernetes-authentication-strategies\">Kubernetes Authentication Strategies<\/h4>\n\n\n\n<p>There are different ways in which a Kubernetes subject can be authenticated. Some of the approaches include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Client Certificates (X.509)<\/strong>: Users present their X.509 client certificates signed by the Kubernetes cluster&#8217;s certificate authority (CA) to prove their identity during authentication.<\/li>\n\n\n\n<li><strong>Token-Based Authentication<\/strong>: This involves integrating Kubernetes cluster with an external authentication provider (like Okta for example) which provide token for users. The tokens are presente to the Kubernetes API server for validation.<\/li>\n\n\n\n<li><strong>OpenID Connect (OIDC)<\/strong>: Kubernetes can be integrated with OIDC providers like Google or GitHub for user authentication.<\/li>\n\n\n\n<li><strong>Service Account Tokens<\/strong>: Special tokens used by pods or applications running within the cluster to access resources without relying on user credentials directly. Service accounts are automatically created for each namespace and bound to specific RBAC roles, granting them the necessary permissions.<\/li>\n\n\n\n<li><strong>Webhook Authentication<\/strong>: This is an approach whereby the Kubernetes API server makes a call to an external web service to verify user identity.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-x-509-client-certificates-for-normal-user-accounts\">Create X509 Client Certificates for Normal User Accounts<\/h4>\n\n\n\n<p>For simplicity sake, we will learn how to create a Kubernetes user account that uses x.509 certificates for authentication. This approach requires that the user&#8217;s certificates be signed by the Kubernetes cluster CA for authenticity purposes.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"has-small-font-size\"><em>The use of x509 certificates for authentication and access control in Kubernetes cluster, while it is one of the most secure method, is not as effective as such for production level deployments.<\/em><\/p>\n\n\n\n<p class=\"has-small-font-size\"><em>Some of the downfalls include:<\/em><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"has-small-font-size\"><em>Client certificates require managing private keys on user machines. This poses a security risk if a private key is compromised, granting unauthorized access to the cluster. Storing private keys directly in the kubeconfig file is particularly risky.<\/em><\/li>\n\n\n\n<li class=\"has-small-font-size\"><em>Manually rotating and distributing updated certificates to all users can be cumbersome and error-prone, potentially leading to security vulnerabilities.<\/em><\/li>\n\n\n\n<li class=\"has-small-font-size\"><em>As the number of users grows, managing individual certificates and access becomes complex. Adding, removing, or updating user certificates requires manual intervention.<\/em><\/li>\n\n\n\n<li class=\"has-small-font-size\"><em>The method doesn&#8217;t inherently provide a straightforward mechanism for managing groups of users.<\/em> <em>While you can include user group information when generating the certificate, managing and maintaining group membership directly within certificates can be cumbersome and less flexible compared to other authentication methods<\/em>.<\/li>\n<\/ul>\n<\/blockquote>\n\n\n\n<p>Therefore, to create a Kubernetes user account that uses x509 certificates for authenticating against the cluster.<\/p>\n\n\n\n<p>Ideally, the user that needs access to the cluster resources via API should generate a CSR and share to Kubernetes administraor for them to generate a signed certificate for the user. However, for demo purposes, we are generating certificates for the user as the K8S administrator.<\/p>\n\n\n\n<p>Login to the control plane and generate the user&#8217;s private key.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">mkdir ~\/.kube\/users<\/pre>\n\n\n\n<p>We have optionally decided to store the per-user certificates file in the above directory. You can choose you convenient location.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mkdir ~\/.kube\/users\/alice<\/code><\/pre>\n\n\n\n<p>Next, using OpenSSL, generate user&#8217;s private key;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cd ~\/.kube\/users\/alice<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>openssl genra -out alice.key 2048<\/code><\/pre>\n\n\n\n<p>Next, generate the user&#8217;s Certificate Signing Request (CSR). <strong>Note<\/strong> that the Common Name  will be treated as the username.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>openssl req -new -key alice.key -out alice.csr -subj \"\/CN=alice\"<\/code><\/pre>\n\n\n\n<p>When prompted for a passphrase, provide it and proceed.<\/p>\n\n\n\n<p>After that, use the CSR to generate the user&#8217;s certificate and sign using the Kubernetes CA. Usually, the CA certificate and key are stored in the directory <strong>\/etc\/kubernetes\/pki\/<\/strong> on the Kubernetes master node<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>sudo openssl x509 -req -in alice.csr \\\n\t-CA \/etc\/kubernetes\/pki\/ca.crt \\\n\t-CAkey  \/etc\/kubernetes\/pki\/ca.key \\\n\t-CAcreateserial \\\n\t-out alice.crt \\\n\t-days 365\n<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>Certificate request self-signature ok\nsubject=CN = alice, O = infra\n<\/code><\/pre>\n\n\n\n<p>Update ownership!<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo chown $USER: alice.crt<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"add-users-credentials-to-kubeconfig\">Add User&#8217;s Credentials to Kubeconfig<\/h4>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/what-is-kubeconfig-file-in-a-kubernetes-cluster\/\">What is Kubeconfig File in a Kubernetes Cluster?<\/a> Kubeconfig file is used to store Kubernetes user authentication information such as certificates, private keys etc. So, once you have the user certificate generated and signed by the cluster CA as shown above, you need to add the user&#8217;s credentials into the Kubeconfig file.<\/p>\n\n\n\n<p>To add the credentials into <strong>Kubeconfig<\/strong>, the command, <strong>kubectl config set-credentials<\/strong>, can be used. All you need is the username (to name the credential), user&#8217;s private key and certificate files.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kubectl config set-credentials alice --client-certificate .\/alice.crt --client-key .\/alice.key<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>User \"alice\" set.<\/strong><\/code><\/pre>\n\n\n\n<p>Read more on;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kubectl config set-credentials --help<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"listing-users-in-kubernetes\">Listing Users in Kubernetes<\/h4>\n\n\n\n<p>You can check the available users using the <strong>kubectl config get-users<\/strong> command;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kubectl config get-users<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>NAME\nalice\nkubernetes-admin\n<\/code><\/pre>\n\n\n\n<p>To get more details;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kubectl config view<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>apiVersion: v1\nclusters:\n- cluster:\n    certificate-authority-data: DATA+OMITTED\n    server: https:\/\/192.168.122.60:6443\n  name: kubernetes\ncontexts:\n- context:\n    cluster: kubernetes\n    namespace: apps\n    user: kubernetes-admin\n  name: kubernetes-admin@kubernetes\ncurrent-context: kubernetes-admin@kubernetes\nkind: Config\npreferences: {}\nusers:\n- name: alice\n  user:\n    client-certificate: users\/alice\/alice.crt\n    client-key: users\/alice\/alice.key\n- name: kubernetes-admin\n  user:\n    client-certificate-data: DATA+OMITTED\n    client-key-data: DATA+OMITTED\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"set-a-context-for-kubernetes-user\">Set a Context for Kubernetes User<\/h4>\n\n\n\n<p>So, what exactly is a context in Kubernetes? A context refers to a combination of a <strong>cluster<\/strong>, a <strong>user<\/strong>, and a <strong>namespace<\/strong> that you want to interact with when executing <strong>kubectl<\/strong> commands.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"has-small-font-size\"><em>In layman&#8217;s language, assume you are a delivery guy delivering goods to multiple neighborhoods in a city (clusters in Kubernetes). Before you set out for delivery, you need to know which houses specifically you are going to in those neighborhoods (namespaces in Kubernetes). This is setting out a context. In Kubernetes, this is like specifying a cluster and namespace to work on, as a specific user.<\/em><\/p>\n<\/blockquote>\n\n\n\n<p>You can set a context for a user in Kubernetes using <strong>kubectl config set-context<\/strong> command.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kubectl config set-context &lt;name of the context&gt; --cluster=&lt;name of the cluster&gt; --user=&lt;username&gt; --namespace=&lt;namespace&gt;<\/code><\/pre>\n\n\n\n<p>You can create new clusters\/namespaces. However, for this specific example, I will use the default cluster and namespace to set user&#8217;s context.<\/p>\n\n\n\n<p>To get available clusters;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kubectl config get-clusters<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>NAME\nkubernetes\n<\/code><\/pre>\n\n\n\n<p>To get available namespaces;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kubectl get namespaces<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>NAME              STATUS   AGE\napps              Active   34h\ncalico-system     Active   4d17h\ndefault           Active   4d18h\nkube-node-lease   Active   4d18h\nkube-public       Active   4d18h\nkube-system       Active   4d18h\ntigera-operator   Active   4d18h\n<\/code><\/pre>\n\n\n\n<p>Having the required details at hand, proceed to set user&#8217;s context.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kubectl config set-context alice --cluster=kubernetes --user=alice --namespace=default<\/code><\/pre>\n\n\n\n<p>If you omit the <strong>&#8211;namespace<\/strong> flag, the namespace will default to <strong>default<\/strong>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"switch-to-kubernetes-users-context\">Switch to Kubernetes User&#8217;s Context<\/h4>\n\n\n\n<p>To switch to the user&#8217;s context, use <strong>kubectl config use-context &lt;context&gt;<\/strong> command. For example, to switch to <strong>alice&#8217;s<\/strong> context created above;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kubectl config use-context alice<\/code><\/pre>\n\n\n\n<p>Command Output;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switched to context \"alice\".<\/code><\/pre>\n\n\n\n<p>Confirm;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kubectl config get-contexts<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>CURRENT   NAME                          CLUSTER      AUTHINFO           NAMESPACE\n*         alice                         kubernetes   alice              default\n          kubernetes-admin@kubernetes   kubernetes   kubernetes-admin   default\n<\/code><\/pre>\n\n\n\n<p>The asterisk (*) next to a context indicates the current active context.<\/p>\n\n\n\n<p>You can also use <strong>kubectl config view<\/strong> command to check the contexts.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"deleting-user-accounts\">Deleting User Accounts<\/h4>\n\n\n\n<p>To delete user context or user credentials;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kubectl config delete-context &lt;context-name&gt;<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>kubectl config delete-user &lt;user&gt;<\/code><\/pre>\n\n\n\n<p>In the next tutorial, we will cover user role and <strong>rolebinding<\/strong> to enforce least privilege principle on users.<\/p>\n\n\n\n<p>In the meantime, use the command <strong>kubectl auth can-i &#8211;help<\/strong> to see what the user is allowed on specific resources.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"creating-groups-in-kubernetes\">Creating Groups in Kubernetes<\/h3>\n\n\n\n<p>In Kubernetes, user groups are not directly created within the cluster itself. However, user groups can be simulated using Role-Based Access Control (RBAC) roles\/cluster roles and roles\/cluster roles bindings. We will explore this in our next guide.<\/p>\n\n\n\n<p>If you are using X509 certificate authentication strategy, however, you can to define user groups while creating a user&#8217;s CSR, by specifying the respective group as a value of the Organization subject name component.<\/p>\n\n\n\n<p>For example, to create a user called <strong>bob<\/strong>, who is in the <strong>devs<\/strong> group, you can generate a CSR as follows;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mkdir ~\/.kube\/users\/bob<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>openssl genrsa -out ~\/.kube\/users\/bob\/bob.key 2048<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>openssl req -new -key ~\/.kube\/users\/bob\/bob.key -out ~\/.kube\/users\/bob\/bob.csr -subj \"\/CN=bob\/O=devs\"<\/code><\/pre>\n\n\n\n<p>If the user should be a member of multiple groups, specify them as multiple organizations on the command line;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>openssl req -new -key ~\/.kube\/users\/bob\/bob.key -out ~\/.kube\/users\/bob\/bob.csr -subj \"\/CN=bob\/O=infra\/O=devs\"<\/code><\/pre>\n\n\n\n<p>Then sign the CSR and generate user certificate.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo openssl x509 -req -in ~\/.kube\/users\/bob\/bob.csr <\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>sudo openssl x509 -req -in ~\/.kube\/users\/bob\/bob.csr  \\\n\t-CA \/etc\/kubernetes\/pki\/ca.crt \\\n\t-CAkey  \/etc\/kubernetes\/pki\/ca.key \\\n\t-CAcreateserial \\\n\t-out ~\/.kube\/users\/bob\/bob.crt \\\n\t-days 365\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo chown $USER: ~\/.kube\/users\/bob\/bob.crt<\/code><\/pre>\n\n\n\n<p>Then add user credentials to Kubeconfig;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kubectl config set-credentials bob --client-certificate ~\/.kube\/users\/bob\/bob.crt --client-key ~\/.kube\/users\/bob\/bob.key<\/code><\/pre>\n\n\n\n<p>You can then define user roles as per the group using RBAC.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"creating-service-accounts-in-kubernetes-cluster\">Creating Service Accounts in Kubernetes Cluster<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-service-accounts\">Create Service Accounts<\/h4>\n\n\n\n<p>You can easily use <strong>kubectl create serviceaccount<\/strong> command to create service accounts in a Kubernetes cluster. By default, Kubernetes has a service account called <strong>default<\/strong>.<\/p>\n\n\n\n<p>For example, to create a service account called <strong>monitoring<\/strong>;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kubectl create serviceaccount monitoring<\/code><\/pre>\n\n\n\n<p>Read more on;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code> kubectl create serviceaccount --help<\/code><\/pre>\n\n\n\n<p>You can also create a service account using a manifest file. In the simplest form, create a YAML file;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim svc-monitoring.yml<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>apiVersion: v1\nkind: ServiceAccount\nmetadata:\n  name: monitoring\n<\/code><\/pre>\n\n\n\n<p>Then apply the manifest;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kubectl apply -f svc-monitoring.yml<\/code><\/pre>\n\n\n\n<p>Or simply;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>kubectl apply -f - &lt;&lt;EOL\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n  name: monitoring\nEOL\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"listing-service-accounts\">Listing Service Accounts<\/h4>\n\n\n\n<p>List service accounts using the command;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kubectl get serviceaccounts<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"get-service-account-details\">Get Service Account Details<\/h4>\n\n\n\n<p>To retrieve more details about a service account;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kubectl get serviceaccounts -o yaml &lt;account-name&gt;<\/code><\/pre>\n\n\n\n<p>For example;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code> kubectl get serviceaccounts -o yaml monitoring<\/code><\/pre>\n\n\n\n<p>Or;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kubectl describe serviceaccounts &lt;account-name&gt;<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"deleting-service-accounts\">Deleting Service Accounts<\/h4>\n\n\n\n<p>If you want to delete a service account, use <strong><code>kubectl delete serviceaccounts<\/code><\/strong> command.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kubectl delete serviceaccounts monitoring<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"assign-users-groups-and-service-account-roles\">Assign Users, Groups and Service Account Roles<\/h3>\n\n\n\n<p>In our next tutorial, we will delve further into assigning roles to Kubernetes users, user groups or even service accounts.<\/p>\n\n\n\n<p>Until then, that concludes our guide on how to create Users, Groups and Service Accounts in a Kubernetes cluster.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"further-reading\">Further Reading<\/h3>\n\n\n\n<p>Read more on <a href=\"https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/authentication\/\" target=\"_blank\" rel=\"noreferrer noopener\">Kubernetes authentication<\/a> page.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this blog post, we will take you through Kubernetes user management: creating users, groups and service accounts. Kubernetes came with one mission, to revolutionize<\/p>\n","protected":false},"author":10,"featured_media":22614,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[1076,121,1668],"tags":[7500,7501,7499,7502],"class_list":["post-22588","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-containers","category-howtos","category-kubernetes","tag-create-groups-in-kubernetes","tag-create-service-accounts","tag-create-users-in-kubernetes","tag-creating-users-in-kubernetes","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/22588"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=22588"}],"version-history":[{"count":28,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/22588\/revisions"}],"predecessor-version":[{"id":22632,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/22588\/revisions\/22632"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/22614"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=22588"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=22588"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=22588"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}