In consul connect why does consul service needs the service account with the same name as the consul service name?

8/9/2021

I am trying to experiment with consul connect. When I gave a service account name that's not matching with the service name of the deployment I am getting the below error.

[ERROR] service account name abc doesn't match Consul service name xyz

Consul documentation says the below

If ACLs are enabled, the serviceAccountName must match the Consul service name.

What the reason behind this ?

-- Magesh
consul
kubernetes

1 Answer

8/30/2021

To identify a workload created by Kubernetes, Consul requires a Service Account to be created for the application. The service account is a unique credential that is used as a base identity for the workload.

When the sidecar proxy starts, the service account token is used to authenticate to Consul to register the proxy with the control plane. Consul contacts the Kubernetes API server to check that the token is valid for the workload being registered. For example, that a service account for the service web is being used to register a sidecar for a service named web, and not a different service name.

This is the reason that the service account name needs to match the service name.

Consul's documentation on ACL Auth Methods explains this in slightly more detail.

-- Blake Covarrubias
Source: StackOverflow