Difference between revisions of "Kubernetes service account"
Jump to navigation
Jump to search
↑ https://kubernetes.io/blog/2024/08/13/kubernetes-v1-31-release/#bound-service-account-token-improvements
(→News) |
|||
(14 intermediate revisions by the same user not shown) | |||
Line 11: | Line 11: | ||
== Commands == | == Commands == | ||
* <code>[[kubectl get serviceaccounts]], [[kubectl get sa]]</code> | * <code>[[kubectl get serviceaccounts]], [[kubectl get sa]]</code> | ||
+ | ** <code>[[kubectl get sa -n kube-system]]</code> | ||
* <code>[[kubectl create serviceaccount]], [[kubectl create sa]]</code> | * <code>[[kubectl create serviceaccount]], [[kubectl create sa]]</code> | ||
* <code>[[kubectl describe sa]]</code> | * <code>[[kubectl describe sa]]</code> | ||
Line 17: | Line 18: | ||
[[Helm v2]] (deprecated) | [[Helm v2]] (deprecated) | ||
* <code>[[helm init]] --stable-repo-url=https://charts.helm.sh/stable --service-account [[tiller]] --tiller-image ghcr.io/helm/tiller:v2.16.1</code> | * <code>[[helm init]] --stable-repo-url=https://charts.helm.sh/stable --service-account [[tiller]] --tiller-image ghcr.io/helm/tiller:v2.16.1</code> | ||
− | |||
== Errors == | == Errors == | ||
* <code>Error creating: pods "your_pod" [[is forbidden]]: [[error looking up service account]] default/your_service_account: serviceaccount "your_service_account" [[not found]]</code> | * <code>Error creating: pods "your_pod" [[is forbidden]]: [[error looking up service account]] default/your_service_account: serviceaccount "your_service_account" [[not found]]</code> | ||
* {{impersonator}} | * {{impersonator}} | ||
+ | |||
+ | == Changelog == | ||
+ | * Conflicting issuers between [[JWT authenticators]] and service account config are now detected and fail on API server startup. | ||
+ | |||
+ | == News == | ||
+ | * [[v1.31]] Bound [[Kubernetes service account|service account]] token improvement (<code>[[ServiceAccountTokenNodeBinding]]</code>)<ref>https://kubernetes.io/blog/2024/08/13/kubernetes-v1-31-release/#bound-service-account-token-improvements</ref> | ||
== Related == | == Related == | ||
Line 29: | Line 35: | ||
* [[Kubernetes roles]] | * [[Kubernetes roles]] | ||
* [[Token]]: <code>[[aws eks get-token]]</code> | * [[Token]]: <code>[[aws eks get-token]]</code> | ||
− | * [[ | + | * [[Kubernetes controller manager]] |
− | + | * <code>[[BoundServiceAccountTokenVolume]]</code> | |
− | * <code>[[ | ||
* [[ServiceAccount admission controller]]: <code>[[/var/run/secrets/kubernetes.io/serviceaccount]]</code> | * [[ServiceAccount admission controller]]: <code>[[/var/run/secrets/kubernetes.io/serviceaccount]]</code> | ||
+ | * <code>[[default]]</code> | ||
+ | * <code>[[kubectl describe clusterrolebindings]]</code> | ||
+ | * [[Kubernetes users]], [[Kubernetes groups]] | ||
== Activities == | == Activities == | ||
Line 42: | Line 50: | ||
* {{Kubernetes Authentication}} | * {{Kubernetes Authentication}} | ||
* {{Kubernetes RBAC}} | * {{Kubernetes RBAC}} | ||
+ | * {{Kubernetes users}} | ||
[[Category:K8s]] | [[Category:K8s]] |
Latest revision as of 14:55, 12 September 2024
- https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/
- https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
- https://kubernetes.io/docs/reference/access-authn-authz/rbac/
system:serviceaccount: (singular) is the prefix for service account usernames. system:serviceaccounts: (plural) is the prefix for service account groups.
kind: ServiceAccount
kubernetes.io/service-account-token
My-first-chart/templates/serviceaccount.yaml
Commands[edit]
kubectl get serviceaccounts, kubectl get sa
kubectl create serviceaccount, kubectl create sa
kubectl describe sa
Helm v2 (deprecated)
helm init --stable-repo-url=https://charts.helm.sh/stable --service-account tiller --tiller-image ghcr.io/helm/tiller:v2.16.1
Errors[edit]
Error creating: pods "your_pod" is forbidden: error looking up service account default/your_service_account: serviceaccount "your_service_account" not found
- Error from server (InternalError): an error on the server ("unable to create impersonator account: error getting service account token: service account is not ready") has prevented the request from succeeding
Changelog[edit]
- Conflicting issuers between JWT authenticators and service account config are now detected and fail on API server startup.
News[edit]
- v1.31 Bound service account token improvement (
ServiceAccountTokenNodeBinding
)[1]
Related[edit]
- Terraform Kubernetes resource: kubernetes_service_account
- Google Cloud Service account
- Helm:
My-first-chart/templates/serviceaccount.yaml
- Kubernetes roles
- Token:
aws eks get-token
- Kubernetes controller manager
BoundServiceAccountTokenVolume
- ServiceAccount admission controller:
/var/run/secrets/kubernetes.io/serviceaccount
default
kubectl describe clusterrolebindings
- Kubernetes users, Kubernetes groups
Activities[edit]
- Read AWS documentation: https://docs.aws.amazon.com/eks/latest/userguide/service-accounts.html
- Configuring Pods to use a Kubernetes service account
See also[edit]
- Kubernetes service account, ServiceAccount:,
kubectl get serviceaccounts, kubectl create serviceaccount, kubectl describe serviceaccount
,kubernetes.io/service-account-token
, Kubernetes users, Kubernetes groups, Kubernetes roles,ServiceAccountTokenNodeBinding
- Kubernetes Authentication,
kubectl create serviceaccount, kubectl get serviceaccounts, CertificateSigningRequest, aws-auth
, bearer tokens, EKS Authentication - Kubernetes RBAC
kubectl auth, kubectl auth can-i, kubectl auth reconcile
kubectl create [ role | clusterrole | clusterrolebinding
|rolebinding | serviceaccount ], groups:
, Kubernetes RBAC good practices,kube2iam
, K8s Cluster roles,rbac.authorization.k8s.io
,system:
- Kubernetes users, Kubernetes groups, Kubernetes roles, Kubernetes service accounts
Advertising: