This repository has been archived by the owner on Mar 16, 2024. It is now read-only.
Support different SA for different Acorn containers #813
Comments
|
@ibuildthecloud and I had a brief discussion about this. Acorn creating an SA per container makes sense. We'll add it. We probably won't allow containers to point at pre-existing SAs at this time. |
|
So @tylerslaton - the implementation idea here is pretty simple: right now every container in an acorn gets the "acorn" service account. we want to change this such that each container (and underlying deployment) gets a unique service account (with a predictable name based on the container name). |
|
Nice, I'll get on this now. |
tylerslaton
added a commit
to tylerslaton/runtime
that referenced
this issue
Nov 4, 2022
Signed-off-by: tylerslaton <mtslaton1@gmail.com>
tylerslaton
added a commit
to tylerslaton/runtime
that referenced
this issue
Nov 4, 2022
Signed-off-by: tylerslaton <mtslaton1@gmail.com>
tylerslaton
added a commit
to tylerslaton/runtime
that referenced
this issue
Nov 4, 2022
Containers that are deployed with an application will now each get their own unique Service Account in the namespace that they deploy to. Signed-off-by: tylerslaton <mtslaton1@gmail.com>
tylerslaton
added a commit
to tylerslaton/runtime
that referenced
this issue
Nov 4, 2022
Containers that are deployed with an application will now each get their own unique Service Account in the namespace that they deploy to. Signed-off-by: tylerslaton <mtslaton1@gmail.com>
tylerslaton
added a commit
to tylerslaton/runtime
that referenced
this issue
Nov 17, 2022
Containers that are deployed with an application will now each get their own unique Service Account in the namespace that they deploy to. Signed-off-by: tylerslaton <mtslaton1@gmail.com>
tylerslaton
added a commit
to tylerslaton/runtime
that referenced
this issue
Nov 17, 2022
Containers that are deployed with an application will now each get their own unique Service Account in the namespace that they deploy to. Signed-off-by: tylerslaton <mtslaton1@gmail.com>
tylerslaton
added a commit
to tylerslaton/runtime
that referenced
this issue
Nov 17, 2022
…service. (acorn-io#813) With this commit every router, job, and container will recieve their own unique ServiceAccount. Then, we will check the appInstance.Spec.Permissions for any permissions defined for a job/container and create relevant Roles/Bindings for them. Signed-off-by: tylerslaton <mtslaton1@gmail.com>
tylerslaton
added a commit
to tylerslaton/runtime
that referenced
this issue
Nov 17, 2022
…service. (acorn-io#813) With this commit every router, job, and container will recieve their own unique ServiceAccount. Then, we will check the appInstance.Spec.Permissions for any permissions defined for a job/container and create relevant Roles/Bindings for them. Signed-off-by: tylerslaton <mtslaton1@gmail.com>
cjellick
added a commit
that referenced
this issue
Nov 17, 2022
Add a unique Service Account per service (#813)
|
tested. looks good! i mentioned on change to the docs you need to make, but other than that, 👍 |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hi,
the request is to implement feature that allows users to use different Service Accounts for different containers (deployments) specified in Acornfile. Let's say, that we have stack of applications and only one of them needs more permissions in the cluster such as creating/deleting pods. Current approach with the single SA will add these permissions to all applications. It would be nice to be able to either create many SA in Acornfile and link them to containers or just point in the container definition to SA that already exists in namespace.
The text was updated successfully, but these errors were encountered: