Service accounts can be used for providing access both to components inside the cluster and other services from outside the cluster. For example, I us

Kubernetes service accounts, and creating kubeconfig for one

submited by
Style Pass
2024-11-18 14:30:04

Service accounts can be used for providing access both to components inside the cluster and other services from outside the cluster. For example, I use a service account to give access to GitHub actions to deploy new version of the WebGazer on a new release.

Please don't copy/paste your cluster-admin role kubeconfig 🙃 If you do, that allows other party to do whatever they want to do to every resource, on every namespace, cluster-wide. Even if the tool or service you create the service account is very trustworthy, and not malicious; there might be a bug in their systems somehow accidentally editing or deleting unexpected resources.

That's why you should create a service account specific for that tool or service, and with limited permissions that is enough for what you expect the tool or service to do (see Principle of least privilege). You know, better safe than sorry.

Before version 1.24, Kubernetes created secret for the service account automatically. But after 1.24, we manually need to create a secret.

Leave a Comment