Create an Admin Type Service AccountΒΆ

An admin type user typically has full permissions to cluster-scoped resources as well as full permissions to all resources scoped to any namespaces.

About this task

A cluster-admin ClusterRole is defined by default for such a user. To create an admin service account with cluster-admin role, use the following procedure:

Note

It is recommended that you create and manage service accounts within the kube-system namespace.

Procedure

  1. Create the user definition.

    For example:

    % cat <<EOF > admin-user.yaml
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: admin-user
      namespace: kube-system
    ---
    apiVersion: v1
    kind: Secret
    type: kubernetes.io/service-account-token
    metadata:
      name: admin-user-sa-token
      namespace: kube-system
      annotations:
        kubernetes.io/service-account.name: admin-user
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: admin-user
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cluster-admin
    subjects:
    - kind: ServiceAccount
      name: admin-user
      namespace: kube-system
    EOF
    
  2. Apply the configuration.

    % kubectl apply -f admin-user.yaml
    

Note

StarlingX can also use user accounts defined in an external Windows Active Directory to authenticate Kubernetes API, kubectl CLI or the Kubernetes Dashboard. For more information, see Configure OIDC Auth Applications.