A service account is an OKD account that allows a component to directly access the API. Service accounts are API objects that exist within each project. Service accounts provide a flexible way to control API access without sharing a regular user’s credentials.
When you use the OKD CLI or web console, your API token authenticates you to the API. You can associate a component with a service account so that they can access the API without using a regular user’s credentials. For example, service accounts can allow:
Replication controllers to make API calls to create or delete pods.
Applications inside containers to make API calls for discovery purposes.
External applications to make API calls for monitoring or integration purposes.
Each service account’s user name is derived from its project and name:
Every service account is also a member of two groups:
Includes all service accounts in the system.
Includes all service accounts in the specified project.
Each service account automatically contains two secrets:
An API token
Credentials for the OpenShift Container Registry
The generated API token and registry credentials do not expire, but you can revoke them by deleting the secret. When you delete the secret, a new one is automatically generated to take its place.
Your OKD cluster contains default service accounts for cluster management and generates more service accounts for each project.
Several infrastructure controllers run using service account credentials. The
following service accounts are created in the OKD infrastructure
openshift-infra) at server start, and given the following roles
Three service accounts are automatically created in each project:
Used by build pods. It is given the
Used by deployment pods and given the
Used to run all other pods unless they specify a different service account.
All service accounts in a project are given the
which allows pulling images from any imagestream in the project using the
internal container image registry.
You can create a service account in a project and grant it permissions by binding it to a role.
Optional: To view the service accounts in the current project:
$ oc get sa
NAME SECRETS AGE builder 2 2d default 2 2d deployer 2 2d
To create a new service account in the current project:
$ oc create sa <service_account_name> (1)
|1||To create a service account in a different project, specify
serviceaccount "robot" created
Optional: View the secrets for the service account:
$ oc describe sa robot
Name: robot Namespace: project1 Labels: <none> Annotations: <none> Image pull secrets: robot-dockercfg-qzbhb Mountable secrets: robot-token-f4khf robot-dockercfg-qzbhb Tokens: robot-token-f4khf robot-token-z8h44
You can distribute a service account’s token to external applications that must authenticate to the API.
To pull an image, the authenticated user must have
get rights on the
imagestreams/layers. To push an image, the authenticated
user must have
update rights on the requested
By default, all service accounts in a project have rights to pull any image in the same project, and the builder service account has rights to push any image in the same project.
View the service account’s API token:
$ oc describe secret <secret_name>
$ oc describe secret robot-token-uzkbh -n top-secret
Name: robot-token-uzkbh Labels: <none> Annotations: kubernetes.io/service-account.name=robot,kubernetes.io/service-account.uid=49f19e2e-16c6-11e5-afdc-3c970e4b7ffe Type: kubernetes.io/service-account-token Data token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
Log in using the token that you obtained:
$ oc login --token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
Logged into "https://server:8443" as "system:serviceaccount:top-secret:robot" using the token provided. You don't have any projects. You can try to create a new project, by running $ oc new-project <projectname>
Confirm that you logged in as the service account:
$ oc whoami