Reputation: 3345
Only enable ServiceAccounts for some pods in Kubernetes
I use the Kubernetes ServiceAccount plugin to automatically inject a ca.crt and token in to my pods. This is useful for applications such as kube2sky which need to access the API Server.
However, I run many hundreds of other pods that don't need this token. Is there a way to stop the ServiceAccount plugin from injecting the default-token in to these pods (or, even better, have it off by default and turn it on explicitly for a pod)?
Upvotes: 0
Views: 910
Answers (2)
Reputation: 1806
As of Kubernetes 1.6+ you can now disable automounting API credentials for a particular pod as stated in the Kubernetes Service Accounts documentation
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
serviceAccountName: build-robot
automountServiceAccountToken: false
...
Upvotes: 2
Reputation: 18200
Right now there isn't a way to enable a service account for some pods but not others, although you can use ABAC to for some service accounts to restrict access to the apiserver.
This issue is being discussed in https://github.com/kubernetes/kubernetes/issues/16779 and I'd encourage you to add your use can to that issue and see when it will be implemented.
Upvotes: 1
Related Questions
- Command to delete all pods in all kubernetes namespaces
- How to configure Kubernetes to encrypt the traffic between nodes, and pods?
- how to use Kubernetes DNS for pods?
- passing --serviceaccount in airflow kubernetes pod operator
- Kubernetes Pods Not Being Evicted
- Are there issues with running user pods on a Kubernetes master node?
- Can a pod with default ServiceAccount deploy pods in another cluster?
- Connecting to Kubernetes API from pod
- Could not able to access the kubernetes API after deleting the default-token