Specify service account name with namespace for kubernetes pod

Question

I am trying to use workflow identity for my kubernetes cluster. I have created the service account on a new namespace. My issue is that I am not able to specify the name space when I am trying to add the service account name on the pod deployment YML.

Following is my pod spect file:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-scheduler
spec:
  replicas: 1
  selector:
    matchLabels:
      app: test-scheduler
  template:
    metadata:
      labels:
        app: test-scheduler
    spec:
      serviceAccountName: test-na/test-k8-sa
      nodeSelector:
        iam.gke.io/gke-metadata-server-enabled: "true"
      containers:
        - name: test-scheduler
          image: gcr.io/PROJECT_ID/IMAGE:TAG
          ports:
            - name: scheduler-port
              containerPort: 8002
              protocol: TCP
          env:
            - name: NAMESPACE
              value: test-scheduler
            - name: CONTAINER_NAME
              value: test-scheduler
---
apiVersion: v1
kind: Service
metadata:
  name: test-scheduler
spec:
  selector:
    app: test-scheduler
  ports:
    - port: 8002
      protocol: TCP
      targetPort: scheduler-port 

When I deploy this code using github actions I get this error:

The Deployment "test-scheduler" is invalid: spec.template.spec.serviceAccountName: Invalid value: "test-na/test-k8-sa": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.',

When I remove the namespace in a file like this:

serviceAccountName: test-k8-sa

It searches for the service account on default name space and fails.

My question here is what is the right way to specify the custom namespace with the service account in kubernetes?

I can start using the default but I am inclined to keep the namespace. I saw some reference to service account file but I don't really understand how to use them.

By the way, I am using this guide https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#gcloud_3

Answer 1

...I have created the service account on a new namespace. My issue is that I am not able to specify the name space when I am trying to add the service account name on the pod deployment YML.

To assign the created service account to your deployment, you can create the deployment in the same namespace as the service account:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-scheduler
  namespace: test-na  # <-- add this line with the namespace where the service account resides
spec:
  ...
  template:
    ...
    spec:
      serviceAccountName: test-k8-sa
      ...

Answer 2

You can create one service account in default and attach that to Role and Biding to another namespace

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: reader-default
  namespace: <Namespace - 2>
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pod-reader
subjects:
- kind: ServiceAccount
  name: default-service-account
  namespace: <ANOTHER NAMESPACE OR DEFAULT>