Difference between revisions of "Kubernetes service account"
Jump to navigation
Jump to search
(→Errors) |
|||
| (6 intermediate revisions by the same user not shown) | |||
| Line 11: | Line 11: | ||
== Commands == | == Commands == | ||
* <code>[[kubectl get serviceaccounts]], [[kubectl get sa]]</code> | * <code>[[kubectl get serviceaccounts]], [[kubectl get sa]]</code> | ||
| + | ** <code>[[kubectl get sa -n kube-system]]</code> | ||
* <code>[[kubectl create serviceaccount]], [[kubectl create sa]]</code> | * <code>[[kubectl create serviceaccount]], [[kubectl create sa]]</code> | ||
* <code>[[kubectl describe sa]]</code> | * <code>[[kubectl describe sa]]</code> | ||
| Line 17: | Line 18: | ||
[[Helm v2]] (deprecated) | [[Helm v2]] (deprecated) | ||
* <code>[[helm init]] --stable-repo-url=https://charts.helm.sh/stable --service-account [[tiller]] --tiller-image ghcr.io/helm/tiller:v2.16.1</code> | * <code>[[helm init]] --stable-repo-url=https://charts.helm.sh/stable --service-account [[tiller]] --tiller-image ghcr.io/helm/tiller:v2.16.1</code> | ||
| − | |||
== Errors == | == Errors == | ||
* <code>Error creating: pods "your_pod" [[is forbidden]]: [[error looking up service account]] default/your_service_account: serviceaccount "your_service_account" [[not found]]</code> | * <code>Error creating: pods "your_pod" [[is forbidden]]: [[error looking up service account]] default/your_service_account: serviceaccount "your_service_account" [[not found]]</code> | ||
* {{impersonator}} | * {{impersonator}} | ||
| + | |||
| + | == Changelog == | ||
| + | * Conflicting issuers between [[JWT authenticators]] and service account config are now detected and fail on API server startup. | ||
== Related == | == Related == | ||
| Line 33: | Line 36: | ||
* <code>[[system:]]</code> | * <code>[[system:]]</code> | ||
* [[ServiceAccount admission controller]]: <code>[[/var/run/secrets/kubernetes.io/serviceaccount]]</code> | * [[ServiceAccount admission controller]]: <code>[[/var/run/secrets/kubernetes.io/serviceaccount]]</code> | ||
| − | * [[default]] | + | * <code>[[default]]</code> |
| + | * [[kubectl describe clusterrolebindings]] | ||
| + | * [[Kubernetes users]], [[Kubernetes groups]] | ||
== Activities == | == Activities == | ||
| Line 43: | Line 48: | ||
* {{Kubernetes Authentication}} | * {{Kubernetes Authentication}} | ||
* {{Kubernetes RBAC}} | * {{Kubernetes RBAC}} | ||
| + | * {{Kubernetes users}} | ||
[[Category:K8s]] | [[Category:K8s]] | ||
Latest revision as of 14:01, 4 April 2024
- https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/
- https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
- https://kubernetes.io/docs/reference/access-authn-authz/rbac/
system:serviceaccount: (singular) is the prefix for service account usernames. system:serviceaccounts: (plural) is the prefix for service account groups.
kind: ServiceAccountkubernetes.io/service-account-tokenMy-first-chart/templates/serviceaccount.yaml
Commands[edit]
kubectl get serviceaccounts, kubectl get sakubectl create serviceaccount, kubectl create sakubectl describe sa
Helm v2 (deprecated)
helm init --stable-repo-url=https://charts.helm.sh/stable --service-account tiller --tiller-image ghcr.io/helm/tiller:v2.16.1
Errors[edit]
Error creating: pods "your_pod" is forbidden: error looking up service account default/your_service_account: serviceaccount "your_service_account" not found- Error from server (InternalError): an error on the server ("unable to create impersonator account: error getting service account token: service account is not ready") has prevented the request from succeeding
Changelog[edit]
- Conflicting issuers between JWT authenticators and service account config are now detected and fail on API server startup.
Related[edit]
- Terraform Kubernetes resource: kubernetes_service_account
- Google Cloud Service account
- Helm:
My-first-chart/templates/serviceaccount.yaml - Kubernetes roles
- Token:
aws eks get-token - Serviceaccounts controller
- BoundServiceAccountTokenVolume
system:- ServiceAccount admission controller:
/var/run/secrets/kubernetes.io/serviceaccount default- kubectl describe clusterrolebindings
- Kubernetes users, Kubernetes groups
Activities[edit]
- Read AWS documentation: https://docs.aws.amazon.com/eks/latest/userguide/service-accounts.html
- Configuring Pods to use a Kubernetes service account
See also[edit]
- Kubernetes service account, ServiceAccount:,
kubectl get serviceaccounts, kubectl create serviceaccount, kubectl describe serviceaccount,kubernetes.io/service-account-token, Kubernetes users, Kubernetes groups, Kubernetes roles - Kubernetes Authentication,
kubectl create serviceaccount, kubectl get serviceaccounts, CertificateSigningRequest, aws-auth, bearer tokens, EKS Authentication - Kubernetes RBAC
kubectl auth, kubectl auth can-i, kubectl auth reconcilekubectl create [ role | clusterrole | clusterrolebinding|rolebinding | serviceaccount ], groups:, Kubernetes RBAC good practices,kube2iam, K8s Cluster roles,rbac.authorization.k8s.io,system: - Kubernetes users, Kubernetes groups, Kubernetes roles, Kubernetes service accounts
Advertising:
