
If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.
By default, a Service Account will not be assigned to a Role Binding or a Cluster Role Binding or a Security Context Constraint (SCC). Typically, Service Accounts are used to:
- Run a deployment with a Service Account so that the pods are run with the Security Context Constraint associated with the Service Account
- To associate the Service Account with a Role Binding or Cluster Role Binding to contol what the service account is allowed to do in a namespace
The oc create serviceaccount (or oc create sa) command can be used to create a Service Account.
~]$ oc create serviceaccount my-service-account
serviceaccount/my-service-account created
Or, a JSON or YAML file can be used.For example, let's say you have a YAML file that contains the following markup.
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-service-account
namespace: default
The oc apply or oc create command with the -f or --filename option can be used to create the pod using the template JSON or YAML file.
The oc replace command can be used to replace a pod using a new or updated template JSON or YAML file.
The oc edit command can be used to update a pods template YAML file.
~]$ oc create -f serviceaccount.yml
serviceaccount/my-service-account created
The oc get serviceaccounts (or just oc get sa) command can be used to list the Service Accounts that have been created in the current project / namespace.
~]$ oc get serviceaccounts
NAME SECRETS AGE
default 2 388d
my-servie-account 2 112s
The oc describe serviceaccount command can be used to show more details of a specific Service Account.
~]$ oc describe serviceaccount my-service-account
Name: my-service-account
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: my-service-account-dockercfg-57b6r
Mountable secrets: my-service-account-token-sfrpr
my-service-account-dockercfg-57b6r
Tokens: my-service-account-token-6x45k
my-service-account-token-sfrpr
Events: <none>
If the purpose of the Service Account is to have an account that has certain permissions (such as view or cluster-admin), then you will want to Add or Remove a Role Binding from a User Group or Service Account.
~]$ oc adm policy add-cluster-role-to-user basic-user -z my-service-account
clusterrole.rbac.authorization.k8s.io/basic-user added: "my-service-account"
If the purpose of the Service Account is to set the Security Context Constraint for pods in the project, then you will want to Add a Security Context Constraint to a User or Group or Service Account.
~]$ oc adm policy add-scc-to-user restricted -z my-service-account
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:restricted added: "my-service-account"
Did you find this article helpful?
If so, consider buying me a coffee over at