Reputation: 79
Why `ServiceAccount` exists, but there is no such entity for the regular human user?
When managing entities semantically connected with Kubernetes, it makes sense to let Kubernetes manage them. Kubernetes manages ServiceAccount as a resource kind, but does not have similar kinds for human users or groups.
I'm wondering what is the design decision behind this. I know that ServiceAccount gets a token generated on creation that is used for further access, and for accessing a cluster as a human user, you need a config file with a public key signed with Kubernetes's CA.
It seems inconsistent, why not create similar resource kinds, say, HumanAccount or Account and supply a public key on creation (public key is kind of safe to store even in plain test in a yaml manifest), so that Kubernetes signs it and from that point on, accepts connections from the user?
I know that Certificate Signing Requests need to be approved by the administrator. Maybe that is the reason?
Any hints or insights appreciated!
Upvotes: 0
Views: 97
Answers (1)
Reputation: 33203
There actually are User entities in RBAC, but kubernetes delegates the instantiation of those to either the CN field of mTLS authentication, or the sub claim of OIDC, or in a very customized situation one can provide that via HTTP headers
Upvotes: 1
Related Questions
- Kubernetes namespace default service account
- What is the purpose of the service account referenced by a Pod?
- How to configure a non-default serviceAccount on a deployment
- Default ServiceAccount k8s
- Why new created ServiceAccount has 0 secrets
- What am I missing in this kubernetes RBAC setup?
- Kubernetes system:serviceaccount can't access service
- Why don't I have a default serviceAccount on kubernetes?
- Create ServiceAccounts for access to the Kubernetes Deployments
- What's the purpose of Kubernetes ServiceAccount