Create a service account for a Kubernetes app

Kubernetes uses service accounts to enable workload access control. A service account is an identity for processes that run in a Pod. When a process is authenticated through a service account, it can contact the API server and access cluster resources. The default service account is default.

You provide a service account with access to cluster resources by creating a role binding, just as you do for users and teams.

This example illustrates how to create a service account and role binding used with an NGINX server.


To create a Kubernetes namespace:

It is necessary to create a namespace for use with your service account, as unlike user accounts, service accounts are scoped to a particular namespace.

  1. Log in to the MKE web UI.

  2. In the left-side navigation panel, navigate to Kubernetes > Namespaces and click Create.

  3. Leave the Namespace drop-down blank.

  4. Paste the following in the Object YAML editor:

    apiVersion: v1
    kind: Namespace
    metadata:
      name: nginx
    
  5. Click Create.

  6. Navigate to the nginx namespace.

  7. Click the vertical ellipsis in the upper-right corner and click Set Context.


To create a service account:

  1. In the left-side navigation panel, navigate to Kubernetes > Service Accounts and click Create.

  2. In the Namespace drop-down, select nginx.

  3. Paste the following in the Object YAML editor:

    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: nginx-service-account
    
  4. Click Create.

There are now two service accounts associated with the nginx namespace: default and nginx-service-account.


To create a role binding:

To give the service account access to cluster resources, create a role binding with view permissions.

  1. From the left-side navigation panel, navigate to Access Control > Grants.

    Note

    If Hide Swarm Navigation is selected on the <username> > Admin Settings > Tuning page, Grants will display as Role Bindings under the Access Control menu item.

  2. In the Grants pane, select the Kubernetes tab and click Create Role Binding.

  3. In the Subject pane, under SELECT SUBJECT TYPE, select Service Account.

  4. In the Namespace drop-down, select nginx.

  5. In the Service Account drop-down, select nginx-service-account and then click Next.

  6. In the Resource Set pane, select the nginx namespace.

  7. In the Role pane, under ROLE TYPE, select Cluster Role and then select view.

  8. Click Create.

The NGINX service account can now access all cluster resources in the nginx namespace.