system:serviceaccount:<project>:<name>
A service account is an OpenShift Container Platform account that allows a component to directly access the API. Service accounts are API objects that exist within each project. Service accounts provide a flexible way to control API access without sharing a regular user’s credentials.
When you use the OpenShift Container Platform CLI or web console, your API token authenticates you to the API. You can associate a component with a service account so that they can access the API without using a regular user’s credentials. For example, service accounts can allow:
Replication controllers to make API calls to create or delete pods.
Applications inside containers to make API calls for discovery purposes.
External applications to make API calls for monitoring or integration purposes.
Each service account’s user name is derived from its project and name:
system:serviceaccount:<project>:<name>
Every service account is also a member of two groups:
Group | Description |
---|---|
system:serviceaccounts |
Includes all service accounts in the system. |
system:serviceaccounts:<project> |
Includes all service accounts in the specified project. |
Each service account automatically contains two secrets:
An API token
Credentials for the OpenShift Container Registry
The generated API token and registry credentials do not expire, but you can revoke them by deleting the secret. When you delete the secret, a new one is automatically generated to take its place.
Your OpenShift Container Platform cluster contains default service accounts for cluster management and generates more service accounts for each project.
Several infrastructure controllers run using service account credentials. The
following service accounts are created in the OpenShift Container Platform infrastructure
project (openshift-infra
) at server start, and given the following roles
cluster-wide:
Service account | Description |
---|---|
|
Assigned the |
|
Assigned the |
|
Assigned the |
Three service accounts are automatically created in each project:
Service account | Usage | ||
---|---|---|---|
|
Used by build pods. It is given the
|
||
|
Used by deployment pods and given the
|
||
|
Used to run all other pods unless they specify a different service account. |
All service accounts in a project are given the system:image-puller
role,
which allows pulling images from any image stream in the project using the
internal container image registry.
By default, OpenShift Container Platform creates an image pull secret for each service account.
Prior to OpenShift Container Platform 4.16, a long-lived service account API token secret was also generated for each service account that was created. Starting with OpenShift Container Platform 4.16, this service account API token secret is no longer created. After upgrading to 4.17, any existing long-lived service account API token secrets are not deleted and will continue to function. For information about detecting long-lived API tokens that are in use in your cluster or deleting them if they are not needed, see the Red Hat Knowledgebase article Long-lived service account API tokens in OpenShift Container Platform. |
This image pull secret is necessary to integrate the OpenShift image registry into the cluster’s user authentication and authorization system.
However, if you do not enable the ImageRegistry
capability or if you disable the integrated OpenShift image registry in the Cluster Image Registry Operator’s configuration, an image pull secret is not generated for each service account.
When the integrated OpenShift image registry is disabled on a cluster that previously had it enabled, the previously generated image pull secrets are deleted automatically.
You can create a service account in a project and grant it permissions by binding it to a role.
Optional: To view the service accounts in the current project:
$ oc get sa
NAME SECRETS AGE
builder 2 2d
default 2 2d
deployer 2 2d
To create a new service account in the current project:
$ oc create sa <service_account_name> (1)
1 | To create a service account in a different project, specify -n <project_name> . |
serviceaccount "robot" created
You can alternatively apply the following YAML to create the service account:
|
Optional: View the secrets for the service account:
$ oc describe sa robot
Name: robot
Namespace: project1
Labels: <none>
Annotations: <none>
Image pull secrets: robot-dockercfg-qzbhb
Mountable secrets: robot-dockercfg-qzbhb
Tokens: robot-token-f4khf
Events: <none>