Hey, Thank you Prateek, would it be possible for you to drop the timestamp you are talking about. It would be easier for me to look at that. Otherwise I will have to watch entire video again. Thanks for kind words 🙏.
Hey Prateek, So the reason we didn't find that as the output of the grep command is because we don't even get that path in the output but we get something else logged. I had already mentioned this in the description of the video. I am going to pin this anyway for someone else who is interested.
You are right, the search string was not present (in this case), but with verbose6 even when the string is present, grep won't work as verbose is thrown over stderr. This leave my original comment irrelevant to the topic. Thanks again.
Hey 👋 Faruk, Thank you so much for the appreciation. I already have a video on ingresses. If you search on my channel you would be able to find that. Let me know if you are not able to.
Highly appreciate your time and efforts, I was just looking for the mechanism you explained in the beginning of the video. keep up the good work, Blesses
change your keyboard it's very frustrating. your voice is slow but the keyboard noise is too high. your knowledge is next level i admire it. Please change keyboard
Hii Vivek!..You explain the topics in a very good way..Your videos help me a lot Thank you.Please make video on metric-server and how we can get the data of usage of kubernetes cluster.
Hey 👋 Hrishikesh, Thanks for the kind words, I really appreciate it. I will try to create video on metrics server, but what do you mean by data usage of kubernetes cluster.
@@viveksinghggits So I am working on integration of kubernetes and zabbix ...and I am successfully able to access the data from api-server but not the whole data I have to monitor cpu and memory usage by pods and nodes these kind of data...so for that I am using metric-server api endpoint to getting the data from it but there is some authentication error while hitting that endpoint ..so this 10.136.57.225:6443/apis/metrics.k8s.io/v1beta1/namespaces/default/pods/ is the endpoint I want to access. Please help me out
Hey Hrishi, Sorry for late reply but I think this question is very specific to the way you have setup your metrics server and other component that you are using. That is the reason I don't have an answer to your question but would ask you to maybe check the way metrics server is being exposed to outside, do you have any authentication mechanism setup there. Or your cluster is behind the corporate proxy and because of that you are not able to access.
Dear Vivek Nice explanation but I have a query to understand this topic properly. When service account was mounted to the pod and curl command was hit, it means someone intercepted that request and inserted the Authorization header for SA token. Who is that someone? Will the authorization header be added in every kind of request going out of the pod i.e. rest, grpc etc I am unable to find any detail on internet about how the SA token is inserted in auth header. If for some call/reason I don't want to include service account then how that can be achieved.
Hi Ashish, When you said "curl command was hit", what do you exactly mean. Did I use curl from inside a pod, in the video? If yes, can you please point me to the timestamp I would be more than happy to help you.
@@viveksinghggits Please pardon me if I am asking non sense question, I am still learning Kubernetes Scenario 1) At 16:18 you have executed the curl request without mounting the service account to the pod and without the authorization header, you got forbidden response. I understood this. Scenario 2) At 17:37, you executed the same curl request with authorization header equal to token value, it responded successfully. I understood this too. Scenario 3) Now when we have a correct service account in the pod and if we hit the same curl(without authorization header) from inside the pod, it will pass. Let me know if I am thinking wrong. If this last scenario is correct, does it mean that Kubernetes on pod's node will intercept the request, generated from inside the pod and adds authorization header in the request before sending to Kubernetes API server. If yes, does this happen only for the request to API server from the pod or to any request from generated from pod to outside world URL. Hope I haven't confused you.
Hey, No you didn't confuse me and the question is not non sense. The third scenario that you have specified where we try to curl api server from inside the pod, is not going to work. The curl command is going to fails with authorization issues. I don't remember if I tried it but I am pretty sure that the curl command is going to fail from inside the pod. Kubectl command however is going to pass because it's programmed to look for service account to authenticate itself against k8s cluster. Don't hesitate to continue this if you have follow ups.
Hi, I want to know, how we can use custom SA, in a POD, using which we can access other services. You have explained very well how to create custom SA, but how we can apply allow and deny policy and use it within pods?
Hi Amarjeet, We can specify custom service account using the pod field .spec.serviceAccountName (I can confirm this once I am back to work). You will have to check how does this apply to the multiple containers of the pod.
Oh that's cool..if possible can u provide sample yaml file or links. Like this right. apiVersion: v1 kind: Pod metadata: name: my-pod spec: serviceAccountName: build-robot automountServiceAccountToken: false
Again, Great Job Vivek, Highly appreciate it. Also as I am following through your playlist on k8s, I think there is a need to have a video on workload Identity as well, as it is a great concept and confuses a lot of people.
Thank you Soumil. Let's see if I can make a video about workload identity in future. Also, I am assuming you are talking about workload identity on managed k8s clusters.
@@viveksinghggits Sounds good !! Yes. Also if you are aware of how to access other cloud services from the pods running in K8s apart from WI, please let us know.
Service accounts don't usually access namespaces. If your question is, can Service accounts be accessed/used in different namespaces than they are in; the answer is NO. We can access the service accounts from the same namespace they are present in.
This is the case when we try to mount the service account in a pod. But in case of role binding, we can reference a service account from another namespace.
normal user k bre mein apne strtng mein kya kaha smjh nhi aya client to api server k liye toh service account but wht u have said about the admin normal users i didnt get it plz elaborate
Thank you for wonderful explanation. I think grep didn't work because -v6 verbose is throwing stderr. 2&>1 is needed.
Hey,
Thank you Prateek, would it be possible for you to drop the timestamp you are talking about. It would be easier for me to look at that. Otherwise I will have to watch entire video again.
Thanks for kind words 🙏.
@@viveksinghggits its at 26.46 . Although its a minor note for anyone else who is trying to follow your videos along. not worth of your time.
Hey Prateek,
So the reason we didn't find that as the output of the grep command is because we don't even get that path in the output but we get something else logged.
I had already mentioned this in the description of the video.
I am going to pin this anyway for someone else who is interested.
You are right, the search string was not present (in this case), but with verbose6 even when the string is present, grep won't work as verbose is thrown over stderr. This leave my original comment irrelevant to the topic. Thanks again.
Thanks Prateek. 😊
Not found such awesome video in TH-cam about kubernetes service account ..... i love your explanation ... Please make video about ingress controller
Hey 👋 Faruk,
Thank you so much for the appreciation.
I already have a video on ingresses. If you search on my channel you would be able to find that.
Let me know if you are not able to.
best video for service account explanation 💪💪
Thank you.
Thank you Vivek for sharing your insight with us. It is useful to all the developers who are looking for an improvement in SA understanding.
Hey 👋 Anuya,
Thank you, I am glad it was helpful.
Highly appreciate your time and efforts, I was just looking for the mechanism you explained in the beginning of the video.
keep up the good work, Blesses
Thank you.
Crystal clear explanation . Thank you so much
Haha, thank you so much Sankar.
Great one bro. Thanks for the explanation.
I am glad it was helpful.
Such a great video! Its so informative and provides a deep understanding about sa. Great job!
Hey Gairik,
Thank you so much, I appreciate it.
change your keyboard it's very frustrating. your voice is slow but the keyboard noise is too high. your knowledge is next level i admire it. Please change keyboard
I am sorry about that Harry, I actually got used to these mechanical keyboards but I would for sure consider another less noisy switches, for sure.
@@viveksinghggits thanks❤ a lot. You are going to consider it again thank you.
Hii Vivek!..You explain the topics in a very good way..Your videos help me a lot Thank you.Please make video on metric-server and how we can get the data of usage of kubernetes cluster.
Hey 👋 Hrishikesh,
Thanks for the kind words, I really appreciate it.
I will try to create video on metrics server, but what do you mean by data usage of kubernetes cluster.
@@viveksinghggits So I am working on integration of kubernetes and zabbix ...and I am successfully able to access the data from api-server but not the whole data I have to monitor cpu and memory usage by pods and nodes these kind of data...so for that I am using metric-server api endpoint to getting the data from it but there is some authentication error while hitting that endpoint ..so this 10.136.57.225:6443/apis/metrics.k8s.io/v1beta1/namespaces/default/pods/ is the endpoint I want to access. Please help me out
Hey Hrishi,
Sorry for late reply but I think this question is very specific to the way you have setup your metrics server and other component that you are using. That is the reason I don't have an answer to your question but would ask you to maybe check the way metrics server is being exposed to outside, do you have any authentication mechanism setup there.
Or your cluster is behind the corporate proxy and because of that you are not able to access.
Very useful video, I have recommended this video to my colleagues as well
Thanks Dheeraj 😊.
Dear Vivek
Nice explanation but I have a query to understand this topic properly. When service account was mounted to the pod and curl command was hit, it means someone intercepted that request and inserted the Authorization header for SA token.
Who is that someone?
Will the authorization header be added in every kind of request going out of the pod i.e. rest, grpc etc
I am unable to find any detail on internet about how the SA token is inserted in auth header. If for some call/reason I don't want to include service account then how that can be achieved.
Hi Ashish,
When you said "curl command was hit", what do you exactly mean. Did I use curl from inside a pod, in the video? If yes, can you please point me to the timestamp I would be more than happy to help you.
@@viveksinghggits
Please pardon me if I am asking non sense question, I am still learning Kubernetes
Scenario 1) At 16:18 you have executed the curl request without mounting the service account to the pod and without the authorization header, you got forbidden response. I understood this.
Scenario 2) At 17:37, you executed the same curl request with authorization header equal to token value, it responded successfully. I understood this too.
Scenario 3) Now when we have a correct service account in the pod and if we hit the same curl(without authorization header) from inside the pod, it will pass. Let me know if I am thinking wrong.
If this last scenario is correct, does it mean that Kubernetes on pod's node will intercept the request, generated from inside the pod and adds authorization header in the request before sending to Kubernetes API server.
If yes, does this happen only for the request to API server from the pod or to any request from generated from pod to outside world URL.
Hope I haven't confused you.
Hey,
No you didn't confuse me and the question is not non sense.
The third scenario that you have specified where we try to curl api server from inside the pod, is not going to work. The curl command is going to fails with authorization issues. I don't remember if I tried it but I am pretty sure that the curl command is going to fail from inside the pod.
Kubectl command however is going to pass because it's programmed to look for service account to authenticate itself against k8s cluster. Don't hesitate to continue this if you have follow ups.
@@viveksinghggits Does this service account logic works only for request to K8s Api server or we can have SA for some external 3rd party apis.
It would work just for k8s api server.
Nice video Vivek..!
Thank you.
Hi,
I want to know, how we can use custom SA, in a POD, using which we can access other services.
You have explained very well how to create custom SA, but how we can apply allow and deny policy and use it within pods?
Hi Amarjeet,
We can specify custom service account using the pod field .spec.serviceAccountName (I can confirm this once I am back to work). You will have to check how does this apply to the multiple containers of the pod.
Hi Vivek...nice k8s videos ..if I create custom sa then how can I link to particular pod....is it through labels and selectors?
Not through labels and selectors, but you will have to specify the serviceAccountName in the pod or deployment spec.
Oh that's cool..if possible can u provide sample yaml file or links.
Like this right.
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
serviceAccountName: build-robot
automountServiceAccountToken: false
Thanks Vivek ur videos r helpful
I'm learning too😀... please continue this good work🔥
Excellent videos bro...
Thank you Anand.
Again, Great Job Vivek, Highly appreciate it. Also as I am following through your playlist on k8s, I think there is a need to have a video on workload Identity as well, as it is a great concept and confuses a lot of people.
Thank you Soumil.
Let's see if I can make a video about workload identity in future.
Also, I am assuming you are talking about workload identity on managed k8s clusters.
@@viveksinghggits Sounds good !! Yes. Also if you are aware of how to access other cloud services from the pods running in K8s apart from WI, please let us know.
can a default service account access other namespaces as well ?
Service accounts don't usually access namespaces. If your question is, can Service accounts be accessed/used in different namespaces than they are in; the answer is NO.
We can access the service accounts from the same namespace they are present in.
This is the case when we try to mount the service account in a pod. But in case of role binding, we can reference a service account from another namespace.
@@viveksinghggits if service accounts is in default namespace then also no ?
Right, the things that I said are true irrespective of the namespace of service account.
@@viveksinghggits Thank you so much for clarification :-)
normal user k bre mein apne strtng mein kya kaha smjh nhi aya client to api server k liye toh service account but wht u have said about the admin normal users i didnt get it plz elaborate
Can you please point me to the timestamp that you are talking about.
🙏🙏🙏
😊😊