Service Accounts in OpenShift - unix1998/technical_notes GitHub Wiki

Service Accounts in OpenShift

1. builder:

   • Purpose: The builder service account is used by the OpenShift build system to run build pods.
   • Usage: When you create a build configuration (e.g., using oc new-build), the build process uses the builder service account to manage the build pod. This account has permissions to pull source code from repositories, build images, and push the built images to the image registry.
   • Example Usage: Automatically used by the system when you start a build.

     oc start-build my-app
     

2. deployer:

   • Purpose: The deployer service account is used to manage deployment processes.
   • Usage: This account is used by OpenShift's deployment controllers to manage deployment configurations (e.g., rolling updates, scaling pods). It has permissions to create, update, and delete pods during the deployment process.
   • Example Usage: Automatically used by the system when a deployment configuration is triggered.

     oc rollout latest dc/my-app
     

3. default:

   • Purpose: The default service account is used for any pod that does not specify a service account.
   • Usage: This account can be used for general purposes. By default, it has minimal permissions, but you can customize its permissions to fit your needs by adding roles.
   • Example Usage: Automatically assigned to pods that do not specify a different service account.

     apiVersion: v1
     kind: Pod
     metadata:
       name: mypod
     spec:
       containers:
       - name: mycontainer
         image: myimage
       serviceAccountName: default
     

4. pipeline:

   • Purpose: The pipeline service account is used by Jenkins pipelines.
   • Usage: When running Jenkins pipeline builds in OpenShift, this service account provides the necessary permissions to interact with the OpenShift API, manage builds, deployments, and other resources.
   • Example Usage: Used in Jenkins pipelines to authenticate and perform operations.

     pipeline {
         agent any
         stages {
             stage('Build') {
                 steps {
                     script {
                         openshift.withCluster() {
                             openshift.withProject('my-project') {
                                 openshift.selector('bc', 'my-app').startBuild()
                             }
                         }
                     }
                 }
             }
         }
     }
     

Customizing Service Accounts

You can customize these service accounts to grant them additional permissions as needed using role bindings. For example, to grant the default service account additional permissions, you can use the following commands:

oc adm policy add-role-to-user edit -z default -n my-project

This command assigns the edit role to the default service account in the my-project namespace, granting it permissions to manage most resources within the namespace.

Summary

• builder: Used by the OpenShift build system for building images.
• deployer: Used by the OpenShift deployment system for managing deployments.
• default: Used by pods that do not specify a service account; has minimal permissions by default.
• pipeline: Used by Jenkins pipelines to interact with OpenShift resources.

These service accounts help organize and manage different aspects of application lifecycle management in OpenShift, ensuring that each component has the appropriate level of access and security.