Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 12. Understanding and creating service accounts

12.1. Service accounts overview
Copiar o link

A service account is an OpenShift Container Platform account that allows a component to directly access the API. Service accounts are API objects that exist within each project. Service accounts provide a flexible way to control API access without sharing a regular user’s credentials.

When you use the OpenShift Container Platform CLI or web console, your API token authenticates you to the API. You can associate a component with a service account so that they can access the API without using a regular user’s credentials. For example, service accounts can allow:

  • Replication controllers to make API calls to create or delete pods.
  • Applications inside containers to make API calls for discovery purposes.
  • External applications to make API calls for monitoring or integration purposes.

Each service account’s user name is derived from its project and name: 

system:serviceaccount:<project>:<name>
Copy to Clipboard Toggle word wrap

Every service account is also a member of two groups:

system:serviceaccounts
Includes all service accounts in the system.
system:serviceaccounts:<project>
Includes all service accounts in the specified project.

Each service account automatically contains two secrets:

  • An API token
  • Credentials for the OpenShift Container Registry

The generated API token and registry credentials do not expire, but you can revoke them by deleting the secret. When you delete the secret, a new one is automatically generated to take its place.

12.2. Creating service accounts
Copiar o link

You can create a service account in a project and grant it permissions by binding it to a role.

Procedure

  1. Optional: To view the service accounts in the current project: 

    $ oc get sa

NAME       SECRETS   AGE
builder    2         2d
default    2         2d
deployer   2         2d
    Copy to Clipboard Toggle word wrap

  2. To create a new service account in the current project: 

    $ oc create sa <service_account_name>
    1 
    

serviceaccount "robot" created
    Copy to Clipboard Toggle word wrap
    1
    To create a service account in a different project, specify -n <project_name>.

  3. Optional: View the secrets for the service account: 

    $ oc describe sa robot
Name:		robot
Namespace:	project1
Labels:		<none>
Annotations:	<none>

Image pull secrets:	robot-dockercfg-qzbhb

Mountable secrets: 	robot-token-f4khf
                   	robot-dockercfg-qzbhb

Tokens:            	robot-token-f4khf
                   	robot-token-z8h44
    Copy to Clipboard Toggle word wrap

12.3. Examples of granting roles to service accounts
Copiar o link

You can grant roles to service accounts in the same way that you grant roles to a regular user account.

  • You can modify the service accounts for the current project. For example, to add the view role to the robot service account in the top-secret project: 

    $ oc policy add-role-to-user view system:serviceaccount:top-secret:robot
    Copy to Clipboard Toggle word wrap

  • You can also grant access to a specific service account in a project. For example, from the project to which the service account belongs, use the -z flag and specify the <serviceaccount_name> 

    $ oc policy add-role-to-user <role_name> -z <serviceaccount_name>
    Copy to Clipboard Toggle word wrap
    Important

    If you want to grant access to a specific service account in a project, use the -z flag. Using this flag helps prevent typos and ensures that access is granted to only the specified service account.

  • To modify a different namespace, you can use the -n option to indicate the project namespace it applies to, as shown in the following examples.

    • For example, to allow all service accounts in all projects to view resources in the top-secret project: 

      $ oc policy add-role-to-group view system:serviceaccounts -n top-secret
      Copy to Clipboard Toggle word wrap

    • To allow all service accounts in the managers project to edit resources in the top-secret project: 

      $ oc policy add-role-to-group edit system:serviceaccounts:managers -n top-secret
      Copy to Clipboard Toggle word wrap
Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat