Replies: 1 comment
-
|
@pdonovan Kubernetes service accounts are namespaced (xref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/). If you have the same client in different namespaces, they can only reference the service account in that namespace.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
The examples e.g https://azure.github.io/azure-workload-identity/docs/quick-start.html#5-create-a-kubernetes-service-account all use 'default' as the namespace for the created service account and also for the quick-start pod.
What are the rules here? If I have the same application deployed 4 different times in the cluster for 4 different clients in namespaces client1, client2, client3 etc, do I need to create the service account 4 times, in each of those namespaces? Even if they link to the same Azure Managed Identity (because ultimately they all need access to the same Azure key vaults, storage etc).? I think the answer is yes, but I wanted to check before I do the work in automating the account creation for every namespace.
Ideally I'd like the pod spec:
spec: serviceAccountName: ${SERVICE_ACCOUNT_NAME}to be able to find the service account in a single namespace, e.g. the example's
default. I'm also assuming that theserviceAccountNameis something that's picked up by the Azure Identity SDK somehow?Beta Was this translation helpful? Give feedback.
All reactions