search

FairwindsOps / rbac-manager

A Kubernetes operator that simplifies the management of Role Bindings and Service Accounts.
https://fairwinds.com
Apache License 2.0
1.46k stars 117 forks source link

How are you handling secrets for service accounts? #437

Closed mikkeschiren closed 8 months ago

mikkeschiren commented 9 months ago

I create a service account with:

apiVersion: rbacmanager.reactiveops.io/v1beta1
kind: RBACDefinition
metadata:
  name: dev1-users
rbacBindings:
  - name: my-sa
    subjects:
      - kind: ServiceAccount
        name: my-sa
        namespace: default
    roleBindings:
      - clusterRole: edit
        namespace: my-ns

Everything creates as it should, but to get a secret to the service account, I need to create it manuly, and then edit the serviceaccount to add the secret to it. Is there a built in way to do this?

eryalito commented 9 months ago

I don't know any way to do this. I think that just ImagePullSecrets are supported for SAs.

Anyways, if it was possible to define it you'd have to still create the secret manually. You can skip the SA editing part tho, just add the SA annotation to the secret. [1]

This example should do for you (beware it will not add the secret name on the secrets section of the sa):

---
apiVersion: v1
kind: Secret
metadata:
  annotations:
    kubernetes.io/service-account.name: my-sa
  name: my-sa-token
  namespace: default
type: kubernetes.io/service-account-token

Doing that it will automatically create the secret and populate the data with token, cert and namespace.

[1] https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#manually-create-a-long-lived-api-token-for-a-serviceaccount