stackoom
  简体   繁体   中英

how can I create a service account for all namespaces in a kubernetes cluster?

 原文  2020-08-06 12:16:41       kubernetes

Question

So I have namespaces

ns1, ns2, ns3, and ns4.

I have a service account sa1 in ns1. I am deploying pods to ns2, ns4 that use sa1. when I look at the logs it tells me that the sa1 in ns2 can't be found.

error:

Error creating: pods "web-test-2-795f5fd489-" is forbidden: error looking up service account ns2/sa: serviceaccount "sa" not found

Is there a way to make service accounts cluster wide? Or, can I create multiple service accounts with the same secret? in different namespaces?

4 answers

solution1
 3  2020-08-06 12:23:41

No there is no way to create a cluster wide service account as service account is a namespace scoped resources. This follows the principle of least privilege.

You can create a service account with same name(for example default ) into all the necessary namespaces where you are deploying pod pretty easily by applying the service account yaml targeting those namespaces.

Then you can deploy the pod using yaml. This way you don't need to change anything in the pod because the service account name is same although it will have different secret and that should not matter as long as you have defined RBAC via role and rolebinding to all the service accounts across those namespaces.

While service accounts can not be cluster scoped you can have clusterrole and clusterrolebinding which are cluster scoped.

solution2
 3 ACCPTED  2020-08-06 13:03:32

you can use that

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubernetes-enforce
rules:
- apiGroups: ["apps"]
  resources: ["deployments","pods","daemonsets"]
  verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["*"]
  resources: ["namespaces"]
  verbs: ["get", "list", "watch"]
    
--- 
apiVersion: v1
kind: ServiceAccount

metadata:
  name: kubernetes-enforce
  namespace: kube-system
---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-enforce-logging
  namespace: cattle-logging
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-enforce
subjects:
- kind: ServiceAccount
  name: kubernetes-enforce
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-enforce-prome
  namespace: cattle-prometheus
roleRef: 
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-enforce
subjects:
- kind: ServiceAccount
  name: kubernetes-enforce
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-enforce-system
  namespace: cattle-system
roleRef: 
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-enforce
subjects:
- kind: ServiceAccount
  name: kubernetes-enforce
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-enforce-default
  namespace: default
roleRef: 
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-enforce
subjects:
- kind: ServiceAccount
  name: kubernetes-enforce
  namespace: kube-system

solution3
 0  2021-05-13 17:08:31

If your namespaces for example are in values.yaml (that is they are somehow dynamic), you could do:

apiVersion: v1
kind: List
items:
  {{- range $namespace := .Values.namespaces }}
  - kind: ServiceAccount
    apiVersion: v1
    metadata:
      name: <YourAccountName>
      namespace: {{ $namespace }}
  {{- end }}

where in values.yaml you would have:

namespaces:
  - namespace-a
  - namespace-b
  - default

solution4
 0  2022-12-20 07:33:59

# define a clusterrole. 
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: supercr
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
# define a serviceaccount
apiVersion: v1
kind: ServiceAccount

metadata:
  name: supersa
  namespace: namespace-1
---
# bind serviceaccount to clusterrole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: supercrb
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: supercr
subjects:
  - kind: ServiceAccount
    name: supersa
    namespace: namespace-1

Please note serviceaccount is namespaced. You can't create a cluster-wide serviceaccount. However you can bind a serviceaccount to a clusterrole with permissions to all api resources.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How can I get a list of all namespaces within a specific Kubernetes cluster, using the Kubernetes API? Can I connect one service account to multiple namespaces in Kubernetes? Kubernetes service account to access all the namespaces how can i assign permission to service account in azure kubernetes cluster( RBAC is enabled )? Grant Kubernetes service account privileges to get pods from all namespaces How to set up Kubernetes ClusterRole binding to give `view` access to a service account for all namespaces How can I apply limit range to all namespaces in kubernetes Terraform: How to create a Kubernetes cluster on Google Cloud (GKE) with namespaces? Kubernetes service account with cluster role How to create a service account to get a list of pods from inside a Kubernetes cluster?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM