K
Q

Helm/Kubernetes - StatefulSet: is that possible use serviceAccount from different namespace

1/31/2021

Since the problem mentioned here.

I am wondering if it is possible to refer serviceAccountName: "test-sa" which is in namespace n2 for example to create statefulset in namespace n1

apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
  name: "{{.Values.ContainerName}}"
  namespace: n1
  labels:
    name: "{{.Values.ReplicaName}}"
    app: "{{.Values.ContainerName}}"
    chart: "{{.Chart.Name}}-{{.Chart.Version}}"
  annotations:
    "helm.sh/created": {{.Release.Time.Seconds | quote }}
spec:
  selector:
    matchLabels:
      app: "{{.Values.ContainerName}}"
  serviceName: "{{.Values.ContainerName}}"
  replicas: 2
  template:
    metadata:
      labels:
        app: "{{.Values.ContainerName}}"
    spec:
      serviceAccountName: "test-sa"
      securityContext:
        fsGroup: 26
      terminationGracePeriodSeconds: 10
      containers:
      - name: {{.Values.ContainerName}}
        image: "{{.Values.PostgresImage}}"
        ports:
        - containerPort: 5432
          name: postgres
        resources:
          requests:
            cpu: {{default "100m" .Values.Cpu}}
            memory: {{default "100M" .Values.Memory}}
        env:
        - name: PGHOST
          value: /tmp
        - name: PG_PRIMARY_USER
          value: primaryuser
        - name: PG_MODE
          value: set
        - name: PG_PRIMARY_HOST
          value: "{{.Values.PrimaryName}}"
        - name: PG_PRIMARY_PORT
          value: "5432"
        - name: PG_PRIMARY_PASSWORD
          value: "{{.Values.PrimaryPassword}}"
        - name: PG_USER
          value: testuser
        - name: PG_PASSWORD
          value: "{{.Values.UserPassword}}"
        - name: PG_DATABASE
          value: userdb
        - name: PG_ROOT_PASSWORD
          value: "{{.Values.RootPassword}}"
        volumeMounts:
        - name: pgdata
          mountPath: "/pgdata"
          readOnly: false
      volumes:
      - name: pgdata
        persistentVolumeClaim:
          claimName: {{.Values.PVCName}}
-- LinNotFound
kubernetes
kubernetes-helm
kubernetes-statefulset

Similar Questions

How to write a custom ingressgateway in istio?
How can i use username and password authentication of the openshift-go-client?
Hide node core count from docker container
RabbitMQ rabbits cannot find each other on Kubernetes
How can i make 2 pods communicate each other in kubernetes?

1 Answer

1/31/2021

You can't; they need to be in the same namespace.

This is a more general rule. Whenever one object refers to another they generally need to be in the same namespace, or the target needs to be a cluster-global object. If a Pod references data in a ConfigMap or mounts a PersistentVolumeClaim, those need to be in the same namespace; if a Service selects Pods by label, those need to be in the same namespace. There are a couple of exceptions, notably around RBAC, but usually these things need to be deployed together.

In the context of a Helm chart, I'd just create a new ServiceAccount rather than trying to reuse an existing one. If it uses the typical {{ .Release.Name }}-{{ .Chart.Name }} naming pattern there won't generally be naming conflicts.

-- David Maze
Source: StackOverflow