-
Notifications
You must be signed in to change notification settings - Fork 14.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reword Service Accounts docs #14681
Reword Service Accounts docs #14681
Conversation
Deploy preview for kubernetes-io-master-staging ready! Built with commit 1024e1e https://deploy-preview-14681--kubernetes-io-master-staging.netlify.com |
- Typically, a cluster's User accounts might be synced from a corporate | ||
database, where new user account creation requires special privileges and | ||
{{< glossary_tooltip text="namespaces" term_id="namespace" >}} of a cluster. | ||
Service accounts *are* namespaced; [human] user identities are not namespaced. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe we should avoid mixing 'user accounts' and 'user identities'.
@@ -10,99 +10,107 @@ weight: 50 | |||
--- | |||
|
|||
{{% capture overview %}} | |||
This is a Cluster Administrator guide to service accounts. It assumes knowledge of | |||
This is a Cluster Operator guide to service accounts. It assumes knowledge of |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe most of the contents in this page are for "administrators' rather than average users.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've borrowed this wording from https://kubernetes.io/docs/reference/glossary/?all=true#term-cluster-operator
Maybe it doesn't make sense to have two separate documents explicitly aimed at people with different experience levels. Rather, we could have a detailed Reference-section guide and also a simpler Task guide.
Something for a future PR? I want to keep this one focused.
content/en/docs/reference/access-authn-authz/service-accounts-admin.md
Outdated
Show resolved
Hide resolved
content/en/docs/reference/access-authn-authz/service-accounts-admin.md
Outdated
Show resolved
Hide resolved
content/en/docs/reference/access-authn-authz/service-accounts-admin.md
Outdated
Show resolved
Hide resolved
content/en/docs/reference/access-authn-authz/service-accounts-admin.md
Outdated
Show resolved
Hide resolved
content/en/docs/reference/access-authn-authz/service-accounts-admin.md
Outdated
Show resolved
Hide resolved
content/en/docs/tasks/configure-pod-container/configure-service-account.md
Outdated
Show resolved
Hide resolved
4e17983
to
37ed864
Compare
content/en/docs/tasks/configure-pod-container/configure-service-account.md
Outdated
Show resolved
Hide resolved
content/en/docs/tasks/configure-pod-container/configure-service-account.md
Outdated
Show resolved
Hide resolved
@@ -9,7 +9,7 @@ weight: 90 | |||
--- | |||
|
|||
{{% capture overview %}} | |||
A service account provides an identity for processes that run in a Pod. | |||
A _service account_ provides an identity for processes that run in a Pod. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Service account vs service account?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think “service account” is fine for English grammar. The Kubernetes resource is ServiceAccount, which gets introduced below.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you need italics, above and below? Check the style guide.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tweaked
## Use the Default Service Account to access the API server. | ||
## Use the default Service Account to access the API server | ||
|
||
Each namespace has a default ServiceAccount, named `default`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ServiceAccount
is the resource?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK. Check the heading.
5c5e7e3
to
4f4805a
Compare
4f4805a
to
22a526d
Compare
I'd left “user account” in a heading. Fixed. |
@@ -70,15 +76,17 @@ spec: | |||
... | |||
``` | |||
|
|||
The pod spec takes precedence over the service account if both specify a `automountServiceAccountToken` value. | |||
If both the ServiceAccount and the pod spec specify a value for | |||
`automountServiceAccountToken`, the pod spec takes precedence. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PodSpec is the object
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From a cluster operator's point of view, Pods have specifications. Pods are Kubernetes objects.
Maybe “the Pod's specification” or “the Pod's .spec
”?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK
content/en/docs/tasks/configure-pod-container/configure-service-account.md
Show resolved
Hide resolved
between the concept of a user and a service account for a number of reasons: | ||
|
||
- Users represent humans. Service accounts are for processes, which | ||
run in {{< glossary_tooltip text="pods" term_id="pod" >}}. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- I'm not sure this change helps clarify a user account vs. service account.
- are italics needed?
/lgtm |
22a526d
to
d67e7d4
Compare
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
0d1ff97
to
9668687
Compare
@sftim 👋 Just checking in. Do you have what you need to continue? |
Hi @zacharysarah |
9668687
to
66e78d6
Compare
Revised |
/lgtm |
content_template: templates/task | ||
weight: 90 | ||
--- | ||
|
||
{{% capture overview %}} | ||
A service account provides an identity for processes that run in a Pod. | ||
Kubernetes recognises two distinct ways for clients outside the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hello @sftim . I read through the page. There are a few minor nits that could be addressed before merging.
line 12: recognizes 😄
line 19: spelling yoy
, recognizes
line 40: capitalize namespace or not?
line 61: the kubelet
? enclose in backticks or not?
line 95: possible edit: You can list all ServiceAccount resources in your current namespace with:
line 120: possible edit: You can get a YAML output of ...
line 314: fix the link with forward slash before docs, projected volume type called
66e78d6
to
82b4734
Compare
New changes are detected. LGTM label has been removed. |
82b4734
to
1024e1e
Compare
Thanks for the feedback @kbhawkey |
@sftim , I read through the |
I think what I'll do is close this PR, keep the branch around, and try to get these changes in once there are other Controller-related PRs already merged. |
Reword: