Difference between revisions of "Kubernetes service account"
Jump to navigation
Jump to search
↑ https://kubernetes.io/blog/2024/08/13/kubernetes-v1-31-release/#bound-service-account-token-improvements
(→News) |
|||
(44 intermediate revisions by 6 users not shown) | |||
Line 1: | Line 1: | ||
− | https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ | + | * https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/ |
− | * [[ | + | * https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ |
+ | * https://kubernetes.io/docs/reference/access-authn-authz/rbac/ | ||
+ | [[system:serviceaccount:]] (singular) is the prefix for service account usernames. | ||
+ | [[system:serviceaccounts:]] (plural) is the prefix for service account groups. | ||
+ | |||
+ | * <code>[[kind: ServiceAccount]]</code> | ||
+ | * <code>[[kubernetes.io/service-account-token]]</code> | ||
+ | * <code>[[My-first-chart/templates/serviceaccount.yaml]]</code> | ||
+ | == Commands == | ||
+ | * <code>[[kubectl get serviceaccounts]], [[kubectl get sa]]</code> | ||
+ | ** <code>[[kubectl get sa -n kube-system]]</code> | ||
+ | * <code>[[kubectl create serviceaccount]], [[kubectl create sa]]</code> | ||
+ | * <code>[[kubectl describe sa]]</code> | ||
− | |||
− | + | [[Helm v2]] (deprecated) | |
+ | * <code>[[helm init]] --stable-repo-url=https://charts.helm.sh/stable --service-account [[tiller]] --tiller-image ghcr.io/helm/tiller:v2.16.1</code> | ||
− | + | == Errors == | |
+ | * <code>Error creating: pods "your_pod" [[is forbidden]]: [[error looking up service account]] default/your_service_account: serviceaccount "your_service_account" [[not found]]</code> | ||
+ | * {{impersonator}} | ||
+ | == Changelog == | ||
+ | * Conflicting issuers between [[JWT authenticators]] and service account config are now detected and fail on API server startup. | ||
− | [[ | + | == News == |
− | + | * [[v1.31]] Bound [[Kubernetes service account|service account]] token improvement (<code>[[ServiceAccountTokenNodeBinding]]</code>)<ref>https://kubernetes.io/blog/2024/08/13/kubernetes-v1-31-release/#bound-service-account-token-improvements</ref> | |
== Related == | == Related == | ||
+ | * [[Terraform Kubernetes resource: kubernetes_service_account]] | ||
* [[Google Cloud Service account]] | * [[Google Cloud Service account]] | ||
* [[Helm]]: <code>[[My-first-chart/templates/serviceaccount.yaml]]</code> | * [[Helm]]: <code>[[My-first-chart/templates/serviceaccount.yaml]]</code> | ||
− | * <code>[[kubectl | + | * [[Kubernetes roles]] |
+ | * [[Token]]: <code>[[aws eks get-token]]</code> | ||
+ | * [[Kubernetes controller manager]] | ||
+ | * <code>[[BoundServiceAccountTokenVolume]]</code> | ||
+ | * [[ServiceAccount admission controller]]: <code>[[/var/run/secrets/kubernetes.io/serviceaccount]]</code> | ||
+ | * <code>[[default]]</code> | ||
+ | * <code>[[kubectl describe clusterrolebindings]]</code> | ||
+ | * [[Kubernetes users]], [[Kubernetes groups]] | ||
+ | |||
+ | == Activities == | ||
+ | * Read AWS documentation: https://docs.aws.amazon.com/eks/latest/userguide/service-accounts.html | ||
+ | * [[Configuring Pods to use a Kubernetes service account]] | ||
== See also == | == See also == | ||
Line 22: | Line 50: | ||
* {{Kubernetes Authentication}} | * {{Kubernetes Authentication}} | ||
* {{Kubernetes RBAC}} | * {{Kubernetes RBAC}} | ||
+ | * {{Kubernetes users}} | ||
[[Category:K8s]] | [[Category:K8s]] |
Latest revision as of 14:55, 12 September 2024
- https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/
- https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
- https://kubernetes.io/docs/reference/access-authn-authz/rbac/
system:serviceaccount: (singular) is the prefix for service account usernames. system:serviceaccounts: (plural) is the prefix for service account groups.
kind: ServiceAccount
kubernetes.io/service-account-token
My-first-chart/templates/serviceaccount.yaml
Commands[edit]
kubectl get serviceaccounts, kubectl get sa
kubectl create serviceaccount, kubectl create sa
kubectl describe sa
Helm v2 (deprecated)
helm init --stable-repo-url=https://charts.helm.sh/stable --service-account tiller --tiller-image ghcr.io/helm/tiller:v2.16.1
Errors[edit]
Error creating: pods "your_pod" is forbidden: error looking up service account default/your_service_account: serviceaccount "your_service_account" not found
- Error from server (InternalError): an error on the server ("unable to create impersonator account: error getting service account token: service account is not ready") has prevented the request from succeeding
Changelog[edit]
- Conflicting issuers between JWT authenticators and service account config are now detected and fail on API server startup.
News[edit]
- v1.31 Bound service account token improvement (
ServiceAccountTokenNodeBinding
)[1]
Related[edit]
- Terraform Kubernetes resource: kubernetes_service_account
- Google Cloud Service account
- Helm:
My-first-chart/templates/serviceaccount.yaml
- Kubernetes roles
- Token:
aws eks get-token
- Kubernetes controller manager
BoundServiceAccountTokenVolume
- ServiceAccount admission controller:
/var/run/secrets/kubernetes.io/serviceaccount
default
kubectl describe clusterrolebindings
- Kubernetes users, Kubernetes groups
Activities[edit]
- Read AWS documentation: https://docs.aws.amazon.com/eks/latest/userguide/service-accounts.html
- Configuring Pods to use a Kubernetes service account
See also[edit]
- Kubernetes service account, ServiceAccount:,
kubectl get serviceaccounts, kubectl create serviceaccount, kubectl describe serviceaccount
,kubernetes.io/service-account-token
, Kubernetes users, Kubernetes groups, Kubernetes roles,ServiceAccountTokenNodeBinding
- Kubernetes Authentication,
kubectl create serviceaccount, kubectl get serviceaccounts, CertificateSigningRequest, aws-auth
, bearer tokens, EKS Authentication - Kubernetes RBAC
kubectl auth, kubectl auth can-i, kubectl auth reconcile
kubectl create [ role | clusterrole | clusterrolebinding
|rolebinding | serviceaccount ], groups:
, Kubernetes RBAC good practices,kube2iam
, K8s Cluster roles,rbac.authorization.k8s.io
,system:
- Kubernetes users, Kubernetes groups, Kubernetes roles, Kubernetes service accounts
Advertising: