Solved: Re: Cluster wide service account

Amaya

I'm preparing for my ex336 but I can't manage to create a cluster wide service account that will allow me to run playbooks that create objects in the OCP cluster.

Tried with both https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.4/html/automation_con...
and "oc adm policy add-cluster-role-to-user cluster-admin -z sa-name" then I create the token but still no permissions to access other projects.

Does anyone know how to solve this?

Many thanks in advance

flozano

Resources in the default project are NOT cluster-wide. They're scoped to the default namespace as with any other project. The default project is just pre-created and the initial context of a logged in user. It's not special in any other mean.

Cluster-wide resources are not namespaced, that is, they do not belong to any project.

So, to use a service account, which is a namespaced resoure, your current project must be the project which contains the service account, and only pods from the same project can use the service account.

But you CAN give permissions (rolebindings and clusterrolebindings) to a service account which grant it access to resources in other projects. When things seem right but doesn't work as expected, you should look at the YAML of all involved resources to check they are correct, for example to check that a rolebinding refers to a service account in its namespace.

View solution in original post

flozano

Your command looks right. Are you sure your current project is the one which contains the "sa-name" service account? Remember that service accounts are namespaced resources, but Kuberentes resources perform no referential integrity checks, unlike relational databases, so you could add a role to a user, group, or SA which doesn't exist, and it would create the rolebinding (or clusterrolebinding) anyway.

Amaya

I do it on the default project, as I want it to be cluster-wide, however, it does not seem to work, as when I run the playbooks on AAP I always get "insufficient permissions for account sa-name" or something similar

flozano

Resources in the default project are NOT cluster-wide. They're scoped to the default namespace as with any other project. The default project is just pre-created and the initial context of a logged in user. It's not special in any other mean.

Cluster-wide resources are not namespaced, that is, they do not belong to any project.

So, to use a service account, which is a namespaced resoure, your current project must be the project which contains the service account, and only pods from the same project can use the service account.

But you CAN give permissions (rolebindings and clusterrolebindings) to a service account which grant it access to resources in other projects. When things seem right but doesn't work as expected, you should look at the YAML of all involved resources to check they are correct, for example to check that a rolebinding refers to a service account in its namespace.

Amaya

ok, my OCP knowledge is close to 0...

The playbooks are correct, as those are the ones provided in the exam.

I've seen that I can grab the token from the SA already created (I believe I was creating another one, when there was already one) as per the course, maybe that solves all my pains.

Thanks so much for your thelp

Chetan_Tiwary_

@Amaya what do you get with : oc get clusterrolebinding | grep sa-name

Amaya

no idea, I do it on the exam, but I'll do it next time

Cluster wide service account

ex336

ocp-v

Service Account