Kubernetes serviceaccount is essential for our team members to access the Kubernetes Cluster remotely. It provides a credential called "token" that is used to authorize the cluster. This page will showcase how to create a new serviceaccount for a new user on Kubernetes.
- The current serviceaccount must have the superuser or cluster root access. Normally, if the current service account has the clusterrole of cluster-admin, it should have the root access.
- To check cluster roles, type :clusterroles on K9s;
- To check if current service account has cluster-admin privilege, type :clusterrolebindings in k9s, then find service-account-admins in the default namespace. You can see if the current serviceaccount name is under the Subjects attribute.
- If you have sufficient privilege, then you should be able to create serviceaccounts for others. Otherwise, login to the administrator on the Linux server by typing in su - administrator and enter the password. The root user on current linux machine should have the privilege (this is because the root user can access /etc/rancher/k3s/k3s.yaml, so never ever modify this file!!!).
- To add a new serviceaccount, type the following in a command line interface. It should create a service account under the default namespace.
kubectl create serviceaccount <serviceaccount name>
- To generate a token for this serviceaccount, use type the following in a command line interface. This should automatically generate a secret under the default namespace with the name <serviceaccount name>
$ kubectl apply -f - <<EOF apiVersion: v1 kind: Secret metadata: name: <serviceaccount name> annotations: kubernetes.io/service-account.name: <serviceaccount name> type: kubernetes.io/service-account-token EOF