New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1411421 added information on linking pods to serviceaccounts #3475
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -170,6 +170,17 @@ To allow a secret to be mounted by a service account's pods, run: | |
$ oc secrets link --for=mount <serviceaccount-name> <secret-name> | ||
---- | ||
|
||
[NOTE] | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. here you follow a section discussing --for=pull and --for=mount; it may be good to be clearer that the NOTE refers to --for=mount (which is also implied if no --for= is specified) only. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @jim-minter I see what you mean, which is why I made sure the last part of the note box says "...mounting secrets to a service account's pods is not required." Or did you mean that it should be more obvious? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ah, I hadn't spotted the wording change (so IMO it's not clear enough ;). Now I re-read it, I'm concerned that the following statement is actually not true and doesn't make sense:
Something like the following would make sense: if the admin has set limitSecretReferences to false (default), it is not required to use oc link --for=mount to enable use of a mountable secret by a service account. However oc link --for=pull is always required to enable use of an image pull secret, regardless of the value of limitSecretReferences. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. OK. I combined the two. Should be better now. |
||
==== | ||
Limiting secrets to only the service accounts that reference them is disabled by | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. same as above for all instances |
||
default. This means that if `serviceAccountConfig.limitSecretReferences` is set | ||
to `false` (the default setting) in the master configuration file, mounting | ||
secrets to a service account's pods with the `--for=mount` option is not | ||
required. However, using the `--for=pull` option to enable using an image pull | ||
secret is required, regardless of the | ||
`serviceAccountConfig.limitSecretReferences` value. | ||
==== | ||
|
||
This example creates and adds secrets to a service account: | ||
|
||
==== | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
to only the → only to the