Overview
OpenShift service accounts are useful because:
- Their login token does not expire unless being explicitly revoked.
- They can be given permissions scoped across a single project or the entire cluster.
Creating Service Accounts
To create a service account in your current namespace, do the following:
oc create serviceaccount {your service account name}
Authenticating Using Service Accounts
Once the service account has been created, you will see two secrets associated with the account. Both will contain the same token. Describe the secret to access that token. That token can be used in any login command or script you create the same way your user token can.
oc describe secret {your service account's secret name}
Adding Roles to Service Accounts
Newly created service accounts have few capabilities. They will need to be added, either via the command line or the UI. Project admins can add permissions to their local project in the UI. To do so, go to: {your project name} > Resources > Membership > Service Accounts. Choose 'Add Another Role' to add permissions to your newly created service account.
Only OpenShift admins have permissions to add roles to service accounts via the command-line. To add permissions to a service account, you must use 'oc adm' command. Here are some command-line examples:
To add permissions within a project, use the following syntax:
oc adm policy add-role-to-user registry-viewer system:serviceaccount:{project name}:{my service account name}
To add permissions throughout the cluster, use the following syntax:
oc adm policy add-cluster-role-to-user registry-viewer system:serviceaccount:{project name}:{my service account name}
More information about roles and their uses can be found here.
Using Service Accounts to Access the Container Service Image Registry
Service accounts can be useful when using external CI/CD pipelines, such as those provided by Gitlab or Jenkins. Use the following steps to authenticate to the registry:
oc get secrets
You will see a list of secrets associated with the service accounts within your project. The credentials provided by the builder service account within an individual project are sufficient for pushing images to and pulling images from that space within the OpenShift registry. Thus, find the name that fits the pattern builder-dockercfg-<hash>. Copy that name and use it in the following command:
oc get secret builder-dockercfg-abcde -o yaml
You will see an output similar to this:
...
metadata:
annotations:
...
openshift.io/token-secret.value: ey.....
The openshift.io/token-secret.value contains the persistent token that can be used to authenticate from an external system. For example, if you are constructing a gitlab-ci file which builds a container image using docker, you may use a command similar to this:
docker login -u serviceaccount -p <password> registry.aws.web.umich.edu