Skip to main content

Add service account to your namespace

service accounts

Kubernetes distinguishes between the concept of a user account and a service account for a number of reasons:

  • Service accounts are for processes, which run in pods.
  • Service accounts are namespaced.
  • Service account creation is intended to be more lightweight, allowing cluster users to create service accounts for specific tasks by following the principle of least privilege.
  • A config bundle for a complex system may include definition of various service accounts for components of that system. Because service accounts can be created without many constraints and have namespaced names, such config is portable.

Pre-defined Cluster Roles Available

  • developer-role
  • devops-namespace-role
  • reader-namespace-role

Role permission details

Create a Service Account

  1. Create an empty yaml file named my-service-account-x.yaml

  2. Fill the service account section with the following block and replace <service-account-name> and <service-account-namespace>.

     ---
     # service account
     apiVersion: v1
     kind: ServiceAccount
     metadata:
       name: <service-account-name>
       namespace: <service-account-namespace>

  3. Assign your service account with a pre-defined roles (See section Pre-defined Cluster Roles Available) by adding the following block and replace <service-account-role-binding-name>, <service-account-namespace>, <service-account-name> and <predefined-role>.

    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: <service-account-role-binding-name>
      namespace: <service-account-namespace>
    subjects:
    - kind: ServiceAccount
      name: <service-account-name>
      namespace: <service-account-namespace>
    roleRef:
      kind: ClusterRole
      name: <predefined-role>
      apiGroup: rbac.authorization.k8s.io

  4. [Optional] Create token associated to SA

    warning

    Since AKS 1.24, SA's secret is not created when SA is created. This change has been introduced due to security concern with secret without expiration time. More information

    ---
    apiVersion: v1
    kind: Secret
    type: kubernetes.io/service-account-token
    metadata:
      name: <service-account-name>-token
      namespace: <service-account-namespace>
      annotations:
        kubernetes.io/service-account.name: "<service-account-name>"

  5. Apply your configuration

    kubectl apply -f my-service-account-x.yaml

  6. Validation

    1. List created service account 
      kubectl get sa -n <service-account-namespace> | grep <service-account-name>
    2. List created role binding
    kubectl get rolebinding -n <service-account-namespace> | grep <service-account-role-binding-name>

Service account definition examples

Examples about how to define service account can be found in project self-service-sa