K
Q

Override Default Service account used by spring boot app deployed in Kubernetes

3/3/2021

Problem statement :

I have deployed a spring boot app which when on starting always uses default compute engine service account credentials to authenticate the app , i have a created a seperate service account and key but not able to replace the default one. i tried specifying the new service account in deployement.yaml by using "serviceAccountName" field but still got the error saying service account eg :"xyz" not found.

serviceAccountName: {{ .Values.serviceAccountName }}

so how can i override default service account of compute engine with a specific service account and define it in deployment.yaml.

if i add the credentials of new service account in app code base it will work but that is not a best practice to do so , please someone help me on resolving this issue

snippet of my deployment.yaml file:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: helloworld
    appVersion: {{ .Values.appVersion }}
  name: helloworld
spec:
  replicas: 1
  selector:
    matchLabels:
      app: helloworld
  template:
    metadata:
      labels:
        app: helloworld
        environment: {{ .Values.environment }}
    spec:
      containers:
        - name: helloworld
          image: {{ .Values.imageSha }}
          imagePullPolicy: Always
          securityContext:
            allowPrivilegeEscalation: false
            runAsUser: 1000
          ports:
            - containerPort: 8080
          env:
          - name: SPRING_CONFIG_LOCATION
            value: "/app/deployments/config/"          
          volumeMounts:
            - name: application-config
              mountPath: "/app/deployments/config"
              readOnly: true
      volumes:
      - name: application-config
        configMap:
          name: {{ .Values.configMapName }}
          items:
          - key: application.properties
            path: application.properties
-- Spiriter_rider
google-cloud-platform
google-kubernetes-engine
kubernetes
spring-boot

Similar Questions

How does Kubernetes knows what pod to kill when downscaling?
How can I generate a configmap from a directory of files that need to be templated?
Calling pthread_setschedparam with capability SYS_NICE results in error
will .kube/config token expired
Docker Build doesn't work inside AWS EKS's worker nodes

1 Answer

3/11/2021

I think you should use Workload Identity which allows to access Google Cloud from outside.

Workload Identity is the recommended way to access Google Cloud services from applications running within GKE due to its improved security properties and manageability. For information about alternative ways to access Google Cloud APIs from GKE, refer to the alternatives section below.

Above guide is well described and I think it should resolve your issue.

For additional example, you can check one of the Community Tutorial - Using Kubernetes Workload Identity for client-server authorization.

In GKE, the Workload Identity feature allows these identities to also be associated with IAM service accounts. This allows a pod running as a Kubernetes service account to act as the associated service account for authorized access to Google APIs and to services that verify identity based on Google Cloud-specific OIDC.

Both docs have examples which should help you to adjust Workload Identity to your needs.

-- PjoterS
Source: StackOverflow