-
Notifications
You must be signed in to change notification settings - Fork 14k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for service accounts in user related fields/flags/headers is under documented #39720
Comments
/assign |
/sig auth https://kubernetes.io/docs/concepts/security/service-accounts/ should at least signpost to the right page (BTW https://kubernetes.io/docs/concepts/security/service-accounts/ is a first-pass, we only added that concept page very recently and its absence had been noted for a while). |
Hey @jpbetz Are you still working on this? Let us (Sig-Auth) know if you need any help. Also, K8s RBAC has a specific way of referring SA https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-subjects |
/triage accepted |
Is anyone in SIG-Auth interested in picking this up? I've dropped this due to workload and it might be a while before I can circle back. |
/unassign |
This issue has not been updated in over 1 year, and should be re-triaged. You can:
For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/ /remove-triage accepted |
This is a Feature Request
How service accounts are identified in:
SubjectAccessReview
APIUser
fieldAdmissionReview
APIsUserInfo
fieldImpersonateUser
headerkubectl --as
..is under documented.
In all cases, service accounts can be referenced via
system:serviceaccount:{service account username}:{service account name}
.https://kubernetes.io/docs/reference/access-authn-authz/authentication/ is the best documentation I could fine. It points out that Service accounts authenticate with the username
system:serviceaccount:(NAMESPACE):(SERVICEACCOUNT)
. But it took me quite a while to find this, and it still wasn't obvious that user fields all acceptWhat would you like to be added
All API "user" fields/flags/headers also somehow document that service accounts are supported.
Why is this needed
It takes way to long to figure out what is supported by use fields/flags/headers without this documentation. I ended up figuring it out mostly by searching the public web and by trying things out on a cluster.
Comments
The text was updated successfully, but these errors were encountered: