I am trying to experiment with consul connect. When I gave a service account name that's not matching with the service name of the deployment I am getting the below error.
[ERROR] service account name abc doesn't match Consul service name xyz
Consul documentation says the below
If ACLs are enabled, the serviceAccountName must match the Consul service name.
What the reason behind this ?
To identify a workload created by Kubernetes, Consul requires a Service Account to be created for the application. The service account is a unique credential that is used as a base identity for the workload.
When the sidecar proxy starts, the service account token is used to authenticate to Consul to register the proxy with the control plane. Consul contacts the Kubernetes API server to check that the token is valid for the workload being registered. For example, that a service account for the service web
is being used to register a sidecar for a service named web
, and not a different service name.
This is the reason that the service account name needs to match the service name.
Consul's documentation on ACL Auth Methods explains this in slightly more detail.