Membuat Service Account Kubernetes

Service account adalah akun yang digunakan oleh sistem Kubernetes untuk mengelola akses ke sumber daya dalam sebuah cluster. Ini memungkinkan aplikasi dalam cluster untuk mengakses sumber daya yang diperlukan untuk menjalankan tugasnya, seperti membaca atau menulis data ke database atau mengakses layanan eksternal lainnya. Service account biasanya dikonfigurasi oleh administrator sistem untuk mengatur hak akses dalam cluster.

Service account ini bisa juga kita gunakan untuk authentikasi dari mesin lain seperti ci/cd atau auto deployment.

Template Read Only

apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ sa-name }}
  namespace: {{ namespace }}
secrets:
  - name: {{ token-name }}
---

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: {{ namespace }}
  name: read-only
rules:
- apiGroups: ["", "apps"]
  resources: ["deployments", "services"]
  verbs: ["get", "list", "watch"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ sa-name }}
  namespace: {{ namespace }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: read-only
subjects:
- kind: ServiceAccount
  name: {{ sa-name }}
  namespace: {{ namespace }}

---

apiVersion: v1
kind: Secret
metadata:
  name: {{ token-name }}
  annotations:
    kubernetes.io/service-account.name: {{ sa-name }}
type: kubernetes.io/service-account-token

Template Read-Write

apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ sa-name }}
  namespace: {{ namespace }}
secrets:
  - name: {{ token-name }}
---

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: {{ namespace }}
  name: read-write
rules:
- apiGroups: ["", "extensions", "apps", "batch", "networking.k8s.io", "autoscaling"]
  resources: ["deployments", "services", "horizontalpodautoscalers"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ sa-name }}
  namespace: {{ namespace }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: read-write
subjects:
- kind: ServiceAccount
  name: {{ sa-name }}
  namespace: {{ namespace }}

---

apiVersion: v1
kind: Secret
metadata:
  name: {{ token-name }}
  annotations:
    kubernetes.io/service-account.name: {{ sa-name }}
type: kubernetes.io/service-account-token

end