Stack Overflow
Stack Overflow

Questions tagged [k8s-serviceaccount]

77 questions
1
vote
1 answer

Kubernetes service account to access AWS S3 for different users in the container

I have an EKS deployment with a service account with policy and role that enable access to S3. This works well for root account in the container. The container can execute aws s3 cp ... with no issue. The problem is that another user cannot. It gets…
unludo
  • 4,912
  • 7
  • 47
  • 71
1
vote
3 answers

How to configure a ClusterRole for namespaced resources

I want to allow a ServiceAccount in namespace A to access a resource in namespace B. To achieve this I connect the ServiceAccount to a ClusterRole via a ClusterRoleBinding. The documentation says I can "use a ClusterRole to [1.] define permissions…
Natjo
  • 2,005
  • 29
  • 75
1
vote
1 answer

Cannot list or delete ClusterRole or ClusterRoleBinding with a Kubernetes ServiceAccount

I want to create a Kubernetes CronJob that deletes resources (Namespace, ClusterRole, ClusterRoleBinding) that may be left over (initially, the criteria will be "has label=Something" and "is older than 30 minutes". (Each namespace contains resources…
jleeothon
  • 2,907
  • 4
  • 19
  • 35
1
vote
1 answer

Kubernetes Service Account Token has super power?

I accidentally was checking if my pod had the right ServiceAccount and its Bindings. Out of curiosity I wanted to check if the token created from this service account is bound with the certain ClusterRole and ClusterRoleBinding which are read only.…
chaosguru
  • 1,933
  • 4
  • 30
  • 44
1
vote
1 answer

Can Cloud Composer run Dags with different Service Accounts in the same Composer environment?

I have several Dags setup to run the KubernetesPodOperator in Cloud Composer / Airflow, they run under the Composer Environment Service Account, I want to know if there is away of running a Dag with a different Service Account to the one set in the…
Hutch
  • 411
  • 10
  • 32
1
vote
1 answer

kubectl Secret - passing service account ( json ) file in ansible k8s module

Am trying to use kubernetes ansible module for creating the kubectl secret, below is my command kubectl create secret generic -n default test --from-file=gcp=serviceaccount.json Do we have any way to pass service account json…
sasi
  • 4,192
  • 4
  • 28
  • 47
1
vote
1 answer

Access K8S API from a pod

I have a main pod that accesses and makes Kubernetes API calls to deploy other pods (the code similar below). It works fine. Now, I don't want to use the config file. I know it's possible with a service account.…
Kevin N
  • 15
  • 3
1
vote
1 answer

Use Workload Identity to export GCP Cloud SQL databases to a bucket

I am working on a Kubernetes CronJob in GKE to export SQL databases from GCP Cloud SQL. I have a single GCP Cloud SQL instance whose Google service account is p848827672298-eef1pd@gcp-sa-cloud-sql.iam.gserviceaccount.com. If I add to this service…
rlandster
  • 7,294
  • 14
  • 58
  • 96
1
vote
1 answer

How do you obtain an aws-iam-token to access S3 using IRSA?

I've create an IRSA role in terraform so that the associated service account can be used by a K8s job to access an S3 bucket but I keep getting an AccessDenied error within the job. I first enabled IRSA in our EKS cluster with enable_irsa = true in…
Blaine Nelson
  • 13
  • 3
1
vote
1 answer

What am I missing in this kubernetes RBAC setup?

I want to run a pod that listens for updates to endpoint lists (I'm not yet ready to adopt the alpha-level feature of endpoint sets, but I'll expand to that eventually.) I have this code: package main import ( "fmt" "os" "os/signal" …
Jon Watte
  • 6,579
  • 4
  • 53
  • 63
0
votes
1 answer

What is the difference between google_project_iam and google_service_account_iam?

Regarding these two Terraform GCP resources : google_project_iam and google_service_account_iam I can't fully grasp the differences and use cases were you should use one over the other. I might have one, where you would want to create a…
Coding_Maeda
  • 41
  • 2
0
votes
1 answer

EKS - Kubernetes - nginx-ingress-controller-default-ingress-controller - open /var/run/secrets/kubernetes.io/serviceaccount/token: permission denied

we have an EKS cluster on 1.21. There is an nginx-ingress-controller-default-ingress-controller deployed with a Classic Load Balancer. Suddenly, its pods are crashing with following errors. I0815 04:40:04.970835 8 flags.go:204] Watching for…
Nisarg
  • 171
  • 8
0
votes
0 answers

Not able to get external IP while running load balancer service in k8s, using aws cloud

I am trying to create load balancer service in k8s, However after creating the service, I should have received external IP but not able to see or get. Please find my service.yaml file or output as below: kubectl get svc NAME TYPE …
love arora
  • 11
  • 2
0
votes
1 answer

Kubernetes SAT token as environment variable

I have created a K8 service account token using following command; kubectl create serviceaccount test-sat-account I have deployment yaml for a dotnet service and I am importing the above token in a volume as below; apiVersion: apps/v1 kind:…
Abhijit
  • 175
  • 5
  • 16
0
votes
0 answers

Service Account in K8s have access to other namespaces that are not part of its role

I want to create a service account that can access to specific namespaces, so far some rules are working the issue comes when I export the KUBECONFIG, this service account can do anything in other pods that are in other NS that this account should…
Jim Rambo
  • 1
1
2
3 4 5 6