Skip to content

Auto-Create ServiceAccounts on Onboarding API / MCP #235

New issue
New issue
Open
Feature
Open
Auto-Create ServiceAccounts on Onboarding API / MCP#235
Feature
Assignees
n3rdc4ptnenrico-kaack-comp
Labels
area/mcp-uiAll ManagedControlPlane UI related issues
@GenosseOtt

Description

@GenosseOtt
GenosseOtt
opened on Aug 19, 2025

Description

We allow users to set ServiceAccounts in Project/WS/MCP members table

User Story

@GenosseOtt

Acceptance Criteria

  • Members table indicates if ServiceAccount exists (red: no, gray - unknown/loading, green: yes)
  • User finds related enablement docs easily
  • If User has not the sufficient permission to read or create service accounts, it should be handled correctly (showing meaningful message but not blocking the overall creation)

For Project/Workspace

  • User can create ServiceAccount in Project/Workspace, or select existing ones

For MCP

  • User can create ServiceAccount in MCP, or select existing ones

Image

Tech Advice

Service accounts can be created on project, workspace or mcp level with the kubectl command

kubectl create serviceaccount <Name> -n <Namespace>

For project and workspace, the namespace is the corresponding namespace of the project or workspace.
In MCP it can be any namespace, default can be chosen as reasonable default.

To list or get serviceaccount, kubectl command

kubectl get serviceaccount [name] -n <NAMESPACE> [-A for all namespaces - not necessary for project/workspace since we only want one naemsapce there]

can be used.

The implementation must handle the case that the user has no permission to read or create service accounts.

A service account is than given permission similar to users in the same list with the same possible roles.

In Project and Workspace spec.members:

    - kind: ServiceAccount
      name: <ServiceAccountName>
      namespace: <ServiceAccountNamespace>
      roles:
        - view #(same as users)

In MCP spec. authorization.roleBindings.[ROLE].subjects

      - kind: ServiceAccount
        name: <ServiceAccountName>
        namespace: <ServiceAccountNamespace>

Network Requests

As always adding -v=10 shows the network requests.

Network request to list service accounts in all namespaces:

GET /api/v1/serviceaccounts?limit=500 (limit optional but reasonable)

Network request to get information of one service account:

GET /api/v1/namespaces/<NAMESPACE>/serviceaccounts/<NAME>

Network request to create service account:

POST /api/v1/namespaces/<NAMESPACE>/serviceaccounts 
Body: the corresponding service account definition

Service Account Documentation: https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/service-account-v1/
Service Account Definition https://kubernetes.io/docs/concepts/security/service-accounts/

Metadata

Metadata

Assignees

Labels

area/mcp-uiAll ManagedControlPlane UI related issues

Type

Feature

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions