[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: cluster wide service acount



For Docker login purpose, I could see another token ( I think this is what you are talking about)

 

cae-ops-dockercfg-04ccd    kubernetes.io/dockercfg               1         1h

cae-ops-token-5vrkf        kubernetes.io/service-account-token   3         1h

cae-ops-token-jdhez        kubernetes.io/service-account-token   3         1h

 

1st token being used for Docker. Was wondering about other 2 tokens.

 

-- 

Srinivas Kotaru

 

From: Jordan Liggitt <jliggitt redhat com>
Date: Thursday, December 1, 2016 at 1:39 PM
To: Srinivas Naga Kotaru <skotaru cisco com>
Cc: dev <dev lists openshift redhat com>
Subject: Re: cluster wide service acount

 

One token is the one generated to mount into pods that run as the service account.

The other is the one wrapped into a dockercfg secret used as a credential against the internal docker registry.

 

On Thu, Dec 1, 2016 at 3:56 PM, Srinivas Naga Kotaru (skotaru) <skotaru cisco com> wrote:

Thanks, it is working.  Able to login using service account token

 

# oc get sa

# oc get secrets

#  oc get  secret  cae-ops-token-5vrkf  --template='{{.data.token}}'

 

decode base64 token

 

# oc login –token=<decoded token>

 

Qeustion:

 

I can see 2 secrets for each service accont and both are valied to login. Any idea why 2 ?

 

# oc get secrets

 

cae-ops-token-5vrkf        kubernetes.io/service-account-token   3         35m

cae-ops-token-jdhez        kubernetes.io/service-account-token   3         35m

 

-- 

Srinivas Kotaru

 

From: Jordan Liggitt <jliggitt redhat com>
Date: Thursday, December 1, 2016 at 12:26 PM


To: Srinivas Naga Kotaru <skotaru cisco com>
Cc: dev <dev lists openshift redhat com>
Subject: Re: cluster wide service acount

 

If you have the service account's token, you can use it from the command line like this:

oc login --token=...

 

The web console does not provide a way to log in with a service account token.

 

On Thu, Dec 1, 2016 at 3:19 PM, Srinivas Naga Kotaru (skotaru) <skotaru cisco com> wrote:

Jordan

 

That helps. Thanks for quick help.

 

Can we use this sa account to login into console and OC clinet? If yes how? I knew SA account only has non expired token but no password

 

 

-- 

Srinivas Kotaru

 

From: Jordan Liggitt <jliggitt redhat com>
Date: Thursday, December 1, 2016 at 12:04 PM
To: Srinivas Naga Kotaru <skotaru cisco com>
Cc: dev <dev lists openshift redhat com>
Subject: Re: cluster wide service acount

 

Service accounts exist within a namespace but can be granted permissions across the entire cluster, just like any other user. For example:

oadm policy add-cluster-role-to-user cluster-reader system:serviceaccount:openshift-infra:monitor-service-account

 

On Thu, Dec 1, 2016 at 3:02 PM, Srinivas Naga Kotaru (skotaru) <skotaru cisco com> wrote:

I knew we can create a service account per project and can be used as a password less API work and automations activities. Can we create a service account at cluster level and can be used for platform operations (monitoring, automation, shared account for operation teams)?

 

Intention is to have expiry free tokens.

 

-- 

Srinivas Kotaru


_______________________________________________
dev mailing list
dev lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

 

 

 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]