Support for service accounts in user related fields/flags/headers is under documented

[jpbetz]

This is a Feature Request

How service accounts are identified in:

• The SubjectAccessReview API User field
• The AdmissionReview APIs UserInfo field
• The ImpersonateUser header
• kubectl --as

..is under documented.

In all cases, service accounts can be referenced via system:serviceaccount:{service account username}:{service account name}.

https://kubernetes.io/docs/reference/access-authn-authz/authentication/ is the best documentation I could fine. It points out that Service accounts authenticate with the username system:serviceaccount:(NAMESPACE):(SERVICEACCOUNT). But it took me quite a while to find this, and it still wasn't obvious that user fields all accept

• https://kubernetes.io/docs/concepts/security/service-accounts/
• https://kubernetes.io/docs/reference/access-authn-authz/authorization/ (has one example of --as which helps signficantly)

What would you like to be added

All API "user" fields/flags/headers also somehow document that service accounts are supported.

Why is this needed

It takes way to long to figure out what is supported by use fields/flags/headers without this documentation. I ended up figuring it out mostly by searching the public web and by trying things out on a cluster.

Comments

[jpbetz]

/assign

[sftim]

/sig auth /language en

https://kubernetes.io/docs/concepts/security/service-accounts/ should at least signpost to the right page We could add a “users and groups” concept page that explains the nebulous way we, uh, don't really define these!

(BTW https://kubernetes.io/docs/concepts/security/service-accounts/ is a first-pass, we only added that concept page very recently and its absence had been noted for a while).

[nilekhc]

/assign

Hey @jpbetz Are you still working on this? Let us (Sig-Auth) know if you need any help.

Also, K8s RBAC has a specific way of referring SA https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-subjects

[nilekhc]

/triage accepted

[jpbetz]

Is anyone in SIG-Auth interested in picking this up? I've dropped this due to workload and it might be a while before I can circle back.

[jpbetz]

/unassign

[k8s-triage-robot]

This issue has not been updated in over 1 year, and should be re-triaged.

You can:

• Confirm that this issue is still relevant with /triage accepted (org members only)
• Close this issue with /close

For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/

/remove-triage accepted

[natalisucks]

/triage accepted