1. Home
  2. Docker Enterprise products
  3. Universal Control Plane overview
  4. Deploy apps with Kubernetes
  5. Creating a service account for a Kubernetes app

Creating a service account for a Kubernetes app

Creating a service account for a Kubernetes app

Kubernetes enables access control for workloads by providing service accounts. A service account represents an identity for processes that run in a pod. When a process is authenticated through a service account, it can contact the API server and access cluster resources. If a pod doesn’t have an assigned service account, it gets the default service account.

In Docker Enterprise, you give a service account access to cluster resources by creating a grant, the same way that you would give access to a user or a team.

In this example, you will create a service account and a grant that could be used for an NGINX server.

Create the Kubernetes namespace

A Kubernetes user account is global, but a service account is scoped to a namespace, so you need to create a namespace before you create a service account.

  1. Navigate to the Namespaces page and click Create.

  2. In the Object YAML editor, append the following text.

    metadata:
  name: nginx

  3. Click Create.

  4. In the nginx namespace, click the More options icon, and in the context menu, select Set Context, and click Confirm.

    ../../_images/create-service-account-1.png

  5. Click the Set context for all namespaces toggle and click Confirm.

Create a service account

Create a service account named nginx-service-account in the nginx namespace.

  1. Navigate to the Service Accounts page and click Create.

  2. In the Namespace dropdown, select nginx.

  3. In the Object YAML editor, paste the following text.

    yaml  apiVersion: v1  kind: ServiceAccount metadata:  name:
nginx-service-account

  4. Click Create.

    ../../_images/create-service-account-2.png

Create a grant

To give the service account access to cluster resources, create a grant with Restricted Control permissions.

  1. Navigate to the Grants page and click Create Grant.

  2. In the left pane, click Resource Sets, and in the Type section, click Namespaces.

  3. Select the nginx namespace.

  4. In the left pane, click Roles. In the Role dropdown, select Restricted Control.

  5. In the left pane, click Subjects, and select Service Account.

    Important

    The Service Account option in the Subject Type section appears only when a Kubernetes namespace is present.

  6. In the Namespace dropdown, select nginx, and in the Service Account dropdown, select nginx-service-account.

  7. Click Create.

    ../../_images/create-service-account-3.png

Now nginx-service-account has access to all cluster resources that are assigned to the nginx namespace.

updated: 2023-07-26 11:20