how can I create a service account for all namespaces in a kubernetes cluster?

Question

So I have namespaces

ns1, ns2, ns3, and ns4.

I have a service account sa1 in ns1. I am deploying pods to ns2, ns4 that use sa1. when I look at the logs it tells me that the sa1 in ns2 can't be found.

error:

Error creating: pods "web-test-2-795f5fd489-" is forbidden: error looking up service account ns2/sa: serviceaccount "sa" not found

Is there a way to make service accounts cluster wide? Or, can I create multiple service accounts with the same secret? in different namespaces?

Answer 1

you can use that

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubernetes-enforce
rules:
- apiGroups: ["apps"]
  resources: ["deployments","pods","daemonsets"]
  verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["*"]
  resources: ["namespaces"]
  verbs: ["get", "list", "watch"]
    
--- 
apiVersion: v1
kind: ServiceAccount

metadata:
  name: kubernetes-enforce
  namespace: kube-system
---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-enforce-logging
  namespace: cattle-logging
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-enforce
subjects:
- kind: ServiceAccount
  name: kubernetes-enforce
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-enforce-prome
  namespace: cattle-prometheus
roleRef: 
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-enforce
subjects:
- kind: ServiceAccount
  name: kubernetes-enforce
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-enforce-system
  namespace: cattle-system
roleRef: 
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-enforce
subjects:
- kind: ServiceAccount
  name: kubernetes-enforce
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-enforce-default
  namespace: default
roleRef: 
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-enforce
subjects:
- kind: ServiceAccount
  name: kubernetes-enforce
  namespace: kube-system

Answer 2

No there is no way to create a cluster wide service account as service account is a namespace scoped resources. This follows the principle of least privilege.

You can create a service account with same name(for example default) into all the necessary namespaces where you are deploying pod pretty easily by applying the service account yaml targeting those namespaces.

Then you can deploy the pod using yaml. This way you don't need to change anything in the pod because the service account name is same although it will have different secret and that should not matter as long as you have defined RBAC via role and rolebinding to all the service accounts across those namespaces.

While service accounts can not be cluster scoped you can have clusterrole and clusterrolebinding which are cluster scoped.

Answer 3

If your namespaces for example are in values.yaml (that is they are somehow dynamic), you could do:

apiVersion: v1
kind: List
items:
  {{- range $namespace := .Values.namespaces }}
  - kind: ServiceAccount
    apiVersion: v1
    metadata:
      name: <YourAccountName>
      namespace: {{ $namespace }}
  {{- end }}

where in values.yaml you would have:

namespaces:
  - namespace-a
  - namespace-b
  - default