Azure-devops-docs: Document required ServiceAccount permissions when using Generic provider to add a Kubernetes namespace to an environment
The documentation indicates that when using the Azure provider to add a Kubernetes namespace to an Environment that a ServiceAccount is created with the minimum required permissions. It would be helpful to detail what those permissions actually are so when adding a Kubernetes namespace using the Generic provider the same minimal set of permissions can be applied to the manually created ServiceAccount.
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 7730ae4d-4101-9c83-1823-4ff43ff161ce
- Version Independent ID: 20a7e263-4819-783e-c984-c4f3b459e22f
- Content: Environment - Kubernetes resource - Azure Pipelines
- Content Source: docs/pipelines/process/environments-kubernetes.md
- Product: devops
- Technology: devops-cicd
- GitHub Login: @shashankbarsin
- Microsoft Alias: shasb
alexmg
All 9 comments
Looks like this is a duplicate of #5121. I noticed that was closed 5 days ago but I do not see any updates in the documentation.
alexmg
on 12 Aug 2019
@alexmg -- Alex, thank you for your feedback. Shashank provided a partial answer before closing issue #5121. I'm not sure when the next set of documentation updates will be live.
WilliamAntonRohm
on 13 Aug 2019
Thanks @WilliamAntonRohm. Is the relevant documentation in a branch that could be referenced now?
alexmg
on 13 Aug 2019
@WilliamAntonRohm @Shashank I'd like to know as well
mmisztal1980
on 13 Aug 2019
The documentation updates should be merged to live by early next week.
@alexmg @mmisztal1980 about creation of service account and role binding, edit role is required so that the service account is able to deploy objects in the cluster. If using the generic service account based approach, use the following steps -
- Create service account in a namespace. For example -
kubectl apply -n aksnamspace -f - <<EOF
> apiVersion: v1
> kind: ServiceAccount
> metadata:
> name: example
> EOF
- Create rolebinding to assign edit role for the service account. For example -
kubectl create rolebinding example-edit-binding --clusterrole=edit --serviceaccount=aksnamespace:example -n aksnamespace
shashankbarsin
on 15 Aug 2019
@shashankbarsin If I wanted to create a 'global' azure-devops service account for my cluster to simplify the environment resource/namespace creation, what would be the good course of action?
- create a service account in
kube-system - create a cluster-role-binding with
clusterole=edit
?
mmisztal1980
on 26 Aug 2019
@mmisztal1980 you can create a service account in any namespace that you have permissions to. Here's the documentation on rolebinding and service account permissions. Actually I'd recommending scoping down the permissions as much as possible instead of giving cluster wide privileges. That way with each Kubernetes resource in environment mapped to one service account, if the service accounts do not have permissions beyond one namespace, different resources (your org could create one resource for each team or one resource for staging/prod) will not be able to impact each other.
shashankbarsin
on 30 Aug 2019
@alexmg, @mmisztal1980 -- I believe your questions have been answered. I am closing this issue now. You are welcome to @ mention me for any followup.
We hope to hear from you again.
WilliamAntonRohm
on 10 Sep 2019
yes, thank you
mmisztal1980
on 10 Sep 2019
Related issues
michhar
·
3Comments
kieronlanning
·
3Comments
anlatsko
·
3Comments
LennartAJansson
·
3Comments
cijujoseph
·
3Comments
Most helpful comment
The documentation updates should be merged to live by early next week.
@alexmg @mmisztal1980 about creation of service account and role binding, edit role is required so that the service account is able to deploy objects in the cluster. If using the generic service account based approach, use the following steps -