Replies: 1 comment
-
|
@pdonovan Kubernetes service accounts are namespaced (xref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/). If you have the same client in different namespaces, they can only reference the service account in that namespace.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
The examples e.g https://azure.github.io/azure-workload-identity/docs/quick-start.html#5-create-a-kubernetes-service-account all use 'default' as the namespace for the created service account and also for the quick-start pod.
What are the rules here? If I have the same application deployed 4 different times in the cluster for 4 different clients in namespaces client1, client2, client3 etc, do I need to create the service account 4 times, in each of those namespaces? Even if they link to the same Azure Managed Identity (because ultimately they all need access to the same Azure key vaults, storage etc).? I think the answer is yes, but I wanted to check before I do the work in automating the account creation for every namespace.
Ideally I'd like the pod spec:
spec: serviceAccountName: ${SERVICE_ACCOUNT_NAME}to be able to find the service account in a single namespace, e.g. the example's
default. I'm also assuming that theserviceAccountNameis something that's picked up by the Azure Identity SDK somehow?Beta Was this translation helpful? Give feedback.
All reactions