
If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.
By default, a Service Account will not be assigned to a Role Binding or a Cluster Role Binding or a Security Context Constraint (SCC). Typically, Service Accounts are used to:
- Run a deployment with a Service Account so that the pods are run with the Security Context Constraint associated with the Service Account
- To associate the Service Account with a Role Binding or Cluster Role Binding to contol what the service account is allowed to do in a namespace
The oc create serviceaccount (or oc create sa) command can be used to create a Service Account.
oc create serviceaccount my-service-account
The --namespace option can be used to create the Service Account in a certain namespace.
oc create serviceaccount my-service-account --namespace my_project
Or, a JSON or YAML file can be used.For example, let's say you have a YAML file that contains the following markup.
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-service-account
namespace: default
The oc apply or oc create command with the -f or --filename option can be used to create the pod using the template JSON or YAML file.
The oc replace command can be used to replace a pod using a new or updated template JSON or YAML file.
The oc edit command can be used to update a pods template YAML file.
~]$ oc create -f serviceaccount.yml
serviceaccount/my-service-account created
The oc get serviceaccounts (or just oc get sa) command can be used to list the Service Accounts that have been created in the current project / namespace.
~]$ oc get serviceaccounts
NAME SECRETS AGE
default 2 388d
my-servie-account 2 112s
The oc describe serviceaccount command can be used to show more details of a specific Service Account.
~]$ oc describe serviceaccount my-service-account
Name: my-service-account
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: my-service-account-dockercfg-57b6r
Mountable secrets: my-service-account-token-sfrpr
my-service-account-dockercfg-57b6r
Tokens: my-service-account-token-6x45k
my-service-account-token-sfrpr
Events: <none>
By default, this should create a secret containing a token that the Service Account can use to authenticate to OpenShift.
~]$ oc get secret my-service-account-token-js959 --namespace my_project --output jsonpath="{.data.token}" | base64 --decode
eyJhbGciOiJSUzI1NiIsImtpZCI6InhlOXdWYjdVYV9qOXk2RVZ2X0JVV1ZZTnZXTy0yR2xRVDhMOEpOUVBnVmsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJvcGVuc2hpZnQtZ2l0b3BzIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Im15LXNlcnZpY2UtYWNjb3VudC10b2tlbi1qczk1OSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJteS1zZXJ2aWNlLWFjY291bnQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJhZjE2NjQyOS1jMzgzLTRlNzEtOGRmZS0yYTYyY2JhYmE0NWYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6b3BlbnNoaWZ0LWdpdG9wczpteS1zZXJ2aWNlLWFjY291bnQifQ.Idd7VeoZhDofAiu8ebo8kUxVleeIlkzv8srwpWX0pdefTsqlgJPhzj5rnntK5QyhoQbFRAjPgcnNIixAeiYzUvmUf1H1KlRF2oTih0a7BknIjNRGovn3v3YaWJf6lkkJMWLRGuPWo7tEREOZJtMi-_3Nck5o0R7zSfNCUPC8fwx4es2x4EF4Lm6jaR0IJfcgHuGEjyO4gGTOyZScwzBgrl-HRiNqb2RBeY7_hBAckln3ceX3HKu8XovMgFIoNgk-TXxBs4MHjofCMcj8mxgJObLZwAfgIKvixUQMMKFbGHD0-QO9XcLj6E9X4oM2WeD67RJZcu3TYFnP0V4LiZZ_GWq1HCvH7h7hy9tKd9_9Cbioxw4YO1WtBxapZghtE_ZVnVDX8U-xcO1n0T9WyUkkWFHKipvbZBnDkAtjX3I1Du33pPmg1Xo8mf7EMzNRkqZdP2xyGMwss6Pw9B0PG7P3U1aPguF_dGhxVNvAI4zZIDRpmiLwHvd2t7D3gGCFTCM06pyZjImOFZg4LvrqaYQZAnNWzUBqdXNg-LAuRIGz3X3SfAun1aPTFG9xA8eh08c8aKD8KvjPkfwG_QldYOzcwgumwWlzRRBeA_ozZF-66a83A91nLApcgRLXupcucrNJuMiirUL_Dl7mTnwiaxhMjT3o86RRx_hMS2z5c9liwV8
If the purpose of the Service Account is to have an account that has certain permissions (such as view or cluster-admin), then you will want to Add or Remove a Role Binding from a User Group or Service Account.
~]$ oc adm policy add-cluster-role-to-user basic-user -z my-service-account
clusterrole.rbac.authorization.k8s.io/basic-user added: "my-service-account"
If the purpose of the Service Account is to set the Security Context Constraint for pods in the project, then you will want to Add a Security Context Constraint to a User or Group or Service Account.
~]$ oc adm policy add-scc-to-user restricted -z my-service-account
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:restricted added: "my-service-account"
Did you find this article helpful?
If so, consider buying me a coffee over at