Reputation: 167
Use Service-Account or User-Account for Kubernetes deployment?
I'm new into Kubernetes and playing around with the Kubernetes-RBAC. I want restrict access to my cluster for different users. As I unterstood Service-Accounts meant for intra-cluster processes running inside pods, which want to authenticate against the API.
So should I use User-Accounts for Buildservers and access from outside the cluster via a kubeconfig-file? Or what are the best practices in this case?
Is it bad to use Service-Accounts to access the cluster from remote?
Upvotes: 1
Views: 1084
Answers (2)
Reputation: 159091
You should use Kubernetes' ordinary user authentication system for authenticating automation agents that run outside the cluster. Service accounts are only usable by pods running inside the cluster (unless you go very far out of your way to "borrow" a service account token). You can do things like set up a RoleBinding to give special permission to create and delete Kubernetes objects to your CD system's user.
Upvotes: 1
Reputation: 17631
kubernetes doesnt have user object. recommend to use service account for deployments
Upvotes: 1
Related Questions
- What is the purpose of the service account referenced by a Pod?
- How to configure a non-default serviceAccount on a deployment
- How to configure kubectl to act as a service account?
- How to create a Pod that uses non default service account using kubectl run command?
- Kubernetes configuration: Specify different service account
- kubernetes service account permissions
- How to create a service account with no permissions in Kubernetes?
- How to generate kubeconfig user for a service-account?
- How to login to Kubernetes using service account?
- Kubernetes service account with cluster role