Kubernetes serviceaccount is essential for our team members to access the Kubernetes Cluster remotely. It provides a credential called "token" that is used to authorize the cluster. This page will showcase how to create a new serviceaccount for a new user on Kubernetes.
- The current serviceaccount must have the superuser or cluster root access. Normally, if the current service account has the clusterrole of cluster-admin, it should have the root access.
- To check cluster roles, type :clusterroles on K9s;
- To check if current service account has cluster-admin privilege, type :clusterrolebindings in k9s, then find service-account-admins in the default namespace. You can see if the current serviceaccount name is under the Subjects attribute.
- If you have sufficient privilege, then you should be able to create serviceaccounts for others. Otherwise, login to the administrator on the Linux server by typing in su - administrator and enter the password. The root user on current linux machine should have the privilege (this is because the root user can access /etc/rancher/k3s/k3s.yaml, so never ever modify this file!!!).
- To add a new serviceaccount, type the following in a command line interface. It should create a service account under the default namespace.
kubectl create serviceaccount <serviceaccount name>
- To generate a token for this serviceaccount, use type the following in a command line interface. This should automatically generate a secret under the default namespace with the name <serviceaccount name>
kubectl apply -f - <<EOF apiVersion: v1 kind: Secret metadata: name: <serviceaccount name> annotations: kubernetes.io/service-account.name: <serviceaccount name> type: kubernetes.io/service-account-token EOF - Now, we have the new serviceaccount and its token created. By using this token, the user should be able to connect to our Kubernetes Clusters. To see how to connect to Kubernetes Clusters, check How to connect to the server.
- In order for the new user to have full access to the kubernetes cluster, we need to add the user to the current clusterrolebindings. Simply type :clusterrolebindings in k9s, then find service-account-admins in the default namespace. Press 'e' to edit the YAML file. At the end of the file, append the following under the Subject attribute.
- kind: ServiceAccount name: <serviceaccount name> namespace: default
- Now the new user should be able to access all components in our Kubernetes cluster. To see how to connect to Kubernetes Clusters, check How to connect to the server.