scottk/kubernetes
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/kubernetes.git synced 2025-11-04 04:08:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

add documentation on how to use service aaccounts with ABAC mode authorization

Browse Source
This commit is contained in:
Mike Danese
2015-07-23 09:44:47 -07:00
parent dc59c99d1a
commit caab2741ba
1 changed files with 22 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
docs/admin/authorization.md
View File

@@ -115,6 +115,28 @@ To permit an action Policy with an unset namespace applies regardless of namespa
[Complete file example](http://releases.k8s.io/HEAD/pkg/auth/authorizer/abac/example_policy_file.jsonl)
### A quick note on service accounts
A service account automatically generates a user. The user's name is generated according to the naming convention:
```
system:serviceaccount:<namespace>:<serviceaccountname>
```
Creating a new namespace also causes a new service account to be created, of this form:*
```
system:serviceaccount:<namespace>:default
```
For example, if you wanted to grant the default service account in the kube-system full privilege to the API, you would add this line to your policy file:
```json
{"user":"system:serviceaccount:kube-system:default"}
```
The apiserver will need to be restarted to pickup the new policy lines.
## Plugin Development
Other implementations can be developed fairly easily.