8.2. Default service accounts

Your OpenShift Container Platform cluster contains default service accounts for cluster management and generates more service accounts for each project.

8.2.1. Default cluster service accounts

Several infrastructure controllers run using service account credentials. The following service accounts are created in the OpenShift Container Platform infrastructure project (openshift-infra) at server start, and given the following roles cluster-wide:

Service Account	Description
`replication-controller`	Assigned the `system:replication-controller` role
`deployment-controller`	Assigned the `system:deployment-controller` role
`build-controller`	Assigned the `system:build-controller` role. Additionally, the `build-controller` service account is included in the privileged security context constraint in order to create privileged build pods.

8.2.2. Default project service accounts and roles

Three service accounts are automatically created in each project:

Service Account	Usage
`builder`	Used by build pods. It is given the `system:image-builder` role, which allows pushing images to any imagestream in the project using the internal Docker registry.
`deployer`	Used by deployment pods and given the `system:deployer` role, which allows viewing and modifying replication controllers and pods in the project.
`default`	Used to run all other pods unless they specify a different service account.

All service accounts in a project are given the system:image-puller role, which allows pulling images from any imagestream in the project using the internal container image registry.

8.2. Default service accounts

8.2.1. Default cluster service accounts

8.2.2. Default project service accounts and roles

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Red Hat legal and privacy links

Red Hat legal and privacy links