Skip to content

Latest commit

 

History

History
51 lines (42 loc) · 2.5 KB

project_namespace_access.md

File metadata and controls

51 lines (42 loc) · 2.5 KB
Raw

Project Namespace Access

Service Account Manager

With Gardener v1.47 a new role called serviceaccountmanager was introduced. This role allows to fully manage ServiceAccount's in the project namespace and request tokens for them. This is the preferred way of managing the access to a project namespace as it aims to replace the usage of the default ServiceAccount secrets that will no longer be generated automatically with Kubernetes v1.24+.

Create a Service Account

Once given the serviceaccountmanager role a user can create/update/delete ServiceAccounts in the project namespace. In order to create a ServiceAccount named "robot-user" run the following kubectl command:

kubectl -n project-abc create sa robot-user

Request a token for a Service Account

A token for the "robot-user" ServiceAccount can be requested via the TokenRequest API.

The request can be made with kubectl

cat <<EOF | kubectl create -f - --raw /api/v1/namespaces/project-abc/serviceaccounts/robot-user/token
{
  "apiVersion": "authentication.k8s.io/v1",
  "kind": "TokenRequest",
  "spec": {
    "expirationSeconds": 3600
  }
}
EOF

or alternatively by directly calling the Kubernetes HTTP API

curl -X POST https://api.gardener/api/v1/namespaces/project-abc/serviceaccounts/robot-user/token \
    -H "Authorization: Bearer <auth-token>" \
    -H "Content-Type: application/json" \
    -d '{
        "apiVersion": "authentication.k8s.io/v1",
        "kind": "TokenRequest",
        "spec": {
          "expirationSeconds": 3600
        }
      }'

Mind that the returned token is not stored within the Kubernetes cluster, will be valid for 3600 seconds and will be invalidated if the "robot-user" ServiceAccount is deleted. Although expirationSeconds can be modified depending on the needs, the returned token's validity will not exceed the configured service-account-max-token-expiration duration for the garden cluster. It is advised that the actual expirationTimestamp is verified so that expectations are met. This can be done by asserting the expirationTimestamp in the TokenRequestStatus or the exp claim in the token itself.

Delete a Service Account

In order to delete the ServiceAccount named "robot-user" run the following kubectl command:

kubectl -n project-abc delete sa robot-user

This will invalidate all existing tokens for the "robot-user" ServiceAccount.