Kubernetes service account
Jump to navigation
Jump to search
- https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/
- https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
- https://kubernetes.io/docs/reference/access-authn-authz/rbac/
system:serviceaccount: (singular) is the prefix for service account usernames. system:serviceaccounts: (plural) is the prefix for service account groups.
Commands
kubectl get serviceaccounts, kubectl get sakubectl create serviceaccount, kubectl create sakubectl describe sa
Helm v2 (deprecated)
helm init --stable-repo-url=https://charts.helm.sh/stable --service-account tiller --tiller-image ghcr.io/helm/tiller:v2.16.1
Errors
Error creating: pods "your_pod" is forbidden: error looking up service account default/your_service_account: serviceaccount "your_service_account" not found- Error from server (InternalError): an error on the server ("unable to create impersonator account: error getting service account token: service account is not ready") has prevented the request from succeeding
Changelog
- Conflicting issuers between JWT authenticators and service account config are now detected and fail on API server startup.
News
- v1.31 Bound service account token improvement (
ServiceAccountTokenNodeBinding)[1]
Related
- Terraform Kubernetes resource: kubernetes_service_account
- Google Cloud Service account
- Helm:
My-first-chart/templates/serviceaccount.yaml
- Kubernetes roles
- Token:
aws eks get-token
- Kubernetes controller manager
BoundServiceAccountTokenVolume- ServiceAccount admission controller:
/var/run/secrets/kubernetes.io/serviceaccount
defaultkubectl describe clusterrolebindings- Kubernetes users, Kubernetes groups
Activities
See also
- Kubernetes service account, ServiceAccount:,
kubectl get serviceaccounts, kubectl create serviceaccount, kubectl describe serviceaccount, kubernetes.io/service-account-token, Kubernetes users, Kubernetes groups, Kubernetes roles, ServiceAccountTokenNodeBinding
- Kubernetes Authentication,
kubectl create serviceaccount, kubectl get serviceaccounts, CertificateSigningRequest, aws-auth, bearer tokens, EKS Authentication
- Kubernetes RBAC
kubectl auth, kubectl auth can-i, kubectl auth reconcile kubectl create [ role | clusterrole | clusterrolebinding | rolebinding | serviceaccount ], groups:, Kubernetes RBAC good practices, kube2iam, K8s Cluster roles, rbac.authorization.k8s.io, system:
- Kubernetes users, Kubernetes groups, Kubernetes roles, Kubernetes service accounts
↑ https://kubernetes.io/blog/2024/08/13/kubernetes-v1-31-release/#bound-service-account-token-improvements
Advertising:
