Reputation: 14959
What default permissions does default service account have?
Let's say I set up a fresh Kubernetes cluster. I assume the both kube-system and default namespaces will get a service account named default? Which permissions does that service account have? Full read/write permissions?
I'm essentially asking this to understand best practises to give a custom Go controller write access to resources.
Upvotes: 3
Views: 1605
Answers (1)
Reputation: 18161
Service accounts have no inherent permissions. The permissions they have depend entirely on the authorization mode configured (--authorization-mode flag passed to the apiserver)
Defining RBAC roles is a good method for specifying the permissions required for a controller.
There are existing role definitions for in-tree controllers at https://github.com/kubernetes/kubernetes/tree/master/plugin/pkg/auth/authorizer/rbac/bootstrappolicy
Upvotes: 4
Related Questions
- How to configure a non-default serviceAccount on a deployment
- Default ServiceAccount k8s
- How to configure kubectl to act as a service account?
- Why kubernetes default service account has full access to the API on docker desktop?
- How to change K8S default service account permissions?
- Kubernetes service account default permissions
- kubernetes service account permissions
- New Kubernetes service account appears to have cluster admin permissions
- How to create a service account with no permissions in Kubernetes?
- Why don't I have a default serviceAccount on kubernetes?