Use Service-Account or User-Account for Kubernetes deployment?

6/5/2019

I'm new into Kubernetes and playing around with the Kubernetes-RBAC. I want restrict access to my cluster for different users. As I unterstood Service-Accounts meant for intra-cluster processes running inside pods, which want to authenticate against the API.

So should I use User-Accounts for Buildservers and access from outside the cluster via a kubeconfig-file? Or what are the best practices in this case?

Is it bad to use Service-Accounts to access the cluster from remote?

-- Feralus
devops
kubectl
kubernetes

2 Answers

6/5/2019

You should use Kubernetes' ordinary user authentication system for authenticating automation agents that run outside the cluster. Service accounts are only usable by pods running inside the cluster (unless you go very far out of your way to "borrow" a service account token). You can do things like set up a RoleBinding to give special permission to create and delete Kubernetes objects to your CD system's user.

-- David Maze
Source: StackOverflow

6/5/2019

kubernetes doesnt have user object. recommend to use service account for deployments

-- P Ekambaram
Source: StackOverflow