60

My Understanding of this doc page is, that I can configure service accounts with Pods and hopefully also deployments, so I can access the k8s API in Kubernetes 1.6+. In order not to alter or use the default one I want to create service account and mount certificate into the pods of a deployment.

How do I achieve something similar like in this example for a deployment?

apiVersion: v1
kind: Pod
metadata:
   name: my-pod
spec:
  serviceAccountName: build-robot
  automountServiceAccountToken: false
mohan08p
  • 5,002
  • 1
  • 28
  • 36
eljefedelrodeodeljefe
  • 6,304
  • 7
  • 29
  • 61

2 Answers2

101

As you will need to specify 'podSpec' in Deployment as well, you should be able to configure the service account in the same way. Something like:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: my-deployment
spec:
  template:
    # Below is the podSpec.
    metadata:
      name: ...
    spec:
      serviceAccountName: build-robot
      automountServiceAccountToken: false
      ...
Henrik
  • 9,714
  • 5
  • 53
  • 87
MrHohn
  • 1,136
  • 1
  • 8
  • 4
  • 5
    how can i pass namespace with the serviceaccountName? – Pasha Apr 27 '20 at 14:22
  • 1
    Is it able to specify the certain serviceAccountName under a name-space? so that, I don't need to change the Pod, Deployment yaml files. – meadlai Jun 05 '20 at 07:10
  • 2
    searching for this answer too: how to specify the namespace of a service account? GKE – fabrizioM Jun 13 '20 at 19:37
  • to specify a service account under a namespace, use the -n tag. or do it in the service account file. for example: `apiVersion: v1 kind: ServiceAccount metadata: name: ServiceAccountName namespace: ServiceAccountNamespace` and you can create the file with kubectl apply -f filename.yaml or kubectl apply -f filename -n ServiceAccountNamespace if not specified inside the file – samceena Nov 12 '20 at 18:07
  • 1
    What is the use of providing such serviceaccount inside a deployment file and not providing at all and providing a custom service account within the ns for rbac ? – Jithin Kumar S Jan 13 '21 at 15:38
  • Did you then mount the token inside the pod as decribed here https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod? For some reasons, I don´t get this answer to work. – Bennimi Nov 09 '21 at 13:42
2

kubernetes nginx-deployment.yaml where serviceAccountName: test-sa
used as non default service account

Link: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

test-sa.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: test-sa
  namespace: test-ns

nginx-deployment.yaml

apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: nginx
      namespace: test-ns
    spec:
      strategy:
        type: Recreate
      selector:
        matchLabels:
          app: nginx
      replicas: 1 # tells deployment to run 1 pods matching the template
      template: # create pods using pod definition in this template
        metadata:
          labels:
            app: nginx
        spec:
          serviceAccountName: test-sa
          containers:
          - name: nginx
            image: nginx
            ports:
            - containerPort: 80
ngg
  • 1,493
  • 19
  • 14