Merge pull request #13010 from kalexand-rh/osdocs-56

service accounts

Author: kalexand-rh

_topic_map.yml

@@ -59,6 +59,10 @@ Topics:
   File: using-rbac  
 - Name: Configuring the user agent
   File: configuring-user-agent
+- Name: Understanding and creating service accounts
+  File: understanding-and-creating-service-accounts
+- Name: Using service accounts in applications
+  File: using-service-accounts-in-applications  
 - Name: Using a service account as an OAuth client
   File: using-service-accounts-as-oauth-client 
 ---

authentication/understanding-and-creating-service-accounts.adoc

@@ -0,0 +1,19 @@
+[id='understanding-and-creating-service-accounts']
+= Understanding and creating service accounts
+include::modules/common-attributes.adoc[]
+:context: understanding-service-accounts
+toc::[]
+ 
+include::modules/service-accounts-overview.adoc[leveloffset=+1]
+
+include::modules/service-accounts-dedicated-admin-role.adoc[leveloffset=+1]
+
+include::modules/dedicated-admin-role-overview.adoc[leveloffset=+1]
+
+include::modules/service-accounts-enabling-authentication.adoc[leveloffset=+1]
+
+include::modules/service-accounts-creating.adoc[leveloffset=+1]
+
+include::modules/service-accounts-configuration-parameters.adoc[leveloffset=+1]
+
+include::modules/service-accounts-granting-roles.adoc[leveloffset=+1]

authentication/using-service-accounts-in-applications.adoc

@@ -0,0 +1,15 @@
+[id='using-service-accounts']
+= Using service accounts in applications
+include::modules/common-attributes.adoc[]
+:context: using-service-accounts
+toc::[]
+ 
+include::modules/service-accounts-overview.adoc[leveloffset=+1]
+
+include::modules/service-accounts-default.adoc[leveloffset=+1]
+
+include::modules/service-accounts-creating.adoc[leveloffset=+1]
+
+include::modules/service-accounts-using-credentials-inside-a-container.adoc[leveloffset=+1]
+
+include::modules/service-accounts-using-credentials-externally.adoc[leveloffset=+1]

modules/dedicated-admin-role-overview.adoc

@@ -0,0 +1,52 @@
+// Module included in the following assemblies:
+//
+// * authentication/using-service-accounts.adoc
+
+[id='dedicated-admin-role-overview-{context}']
+ifdef::openshift-dedicated[]
+= About the dedicated administrator role
+
+The accounts for dedicated administrators of an {product-title} cluster,
+have increased
+permissions and access to all user-created projects.
+
+////
+[NOTE]
+====
+Some configuration changes or procedures discussed in this guide can be
+performed by only the {product-title} Operations Team. They are included in this
+guide for informational purposes to help you as an {product-title} cluster
+administrator better understand what configuration options are possible. If you
+want to request a change to your cluster that you cannot perform using the
+administrator CLI, open a support case on the
+https://access.redhat.com/support/[Red Hat Customer Portal].
+====
+////
+
+When your account has the `dedicated-cluster-admin` authorization role
+bound to it, you
+are automatically bound to the `dedicated-project-admin` role for any new projects
+that users in the cluster create.
+
+You can perform actions that are associated with a set of verbs, such as `create`,
+to operate on a set of resource names, such as `templates`. To view the details
+of these roles and their sets of
+verbs and resources, run the following commands:
+
+----
+$ oc describe clusterrole/dedicated-cluster-admin
+$ oc describe clusterrole/dedicated-project-admin
+----
+
+The verb names do not necessarily all map directly to `oc` commands but rather
+equate more generally to the types of CLI operations you can perform. For
+example, having the `list` verb means that you can display a list of all objects
+of a given resource name by running the `oc get` command, but the `get` verb 
+means that you can display the details of a specific object if you know its name
+by runnign the `oc describe` command.
+
+{product-title} administrators can grant users a `dedicated-reader` role, which
+provides view-only access at the cluster level and view access for all
+user projects.
+
+endif::[]

modules/pod-using-a-different-service-account.adoc

@@ -0,0 +1,32 @@
+// Module included in the following assemblies:
+//
+// * 
+
+[id='pod-using-a-different-service-account-{context}']
+= Running a pod with a different service account
+
+You can run a pod with a service account other than the default:
+
+.Prerequisites
+
+* Install the `oc` command line interface.
+* Configure a service account.
+* Create a deployment configuration.
+
+.Procedure
+
+. Edit the deployment configuration:
++
+----
+$ oc edit dc/<deployment_config>
+----
+
+. Add the `serviceAccount` and `serviceAccountName` parameters to the `spec`
+field, and specify the service account that you want to use:
++
+----
+spec:
+  securityContext: {}
+  serviceAccount: <service_account>
+  serviceAccountName: <service_account>
+----

modules/service-accounts-adding-secrets.adoc

@@ -0,0 +1,70 @@
+// Module included in the following assemblies:
+//
+// * authentication/using-service-accounts.adoc
+
+[id='service-accounts-managing-secrets-{context}']
+== Managing secrets on a service account's pod
+
+In addition to providing API credentials, a pod's service account determines
+which secrets the pod is allowed to use.
+
+Pods use secrets in two ways:
+
+* image pull secrets, providing credentials used to pull images for the pod's containers
+* mountable secrets, injecting the contents of secrets into containers as files
+
+To allow a secret to be used as an image pull secret by a service account's
+pods, run:
+
+----
+$ oc secrets link --for=pull <serviceaccount-name> <secret-name>
+----
+
+To allow a secret to be mounted by a service account's pods, run:
+
+----
+$ oc secrets link --for=mount <serviceaccount-name> <secret-name>
+----
+
+[NOTE]
+====
+Limiting secrets to only the service accounts that reference them is disabled by
+default. This means that if `serviceAccountConfig.limitSecretReferences` is set
+to `false` (the default setting) in the master configuration file, mounting
+secrets to a service account's pods with the `--for=mount` option is not
+required. However, using the `--for=pull` option to enable using an image pull
+secret is required, regardless of the
+`serviceAccountConfig.limitSecretReferences` value.
+====
+
+This example creates and adds secrets to a service account:
+
+----
+$ oc create secret generic secret-plans \
+    --from-file=plan1.txt \
+    --from-file=plan2.txt
+secret/secret-plans
+
+$ oc create secret docker-registry my-pull-secret \
+    --docker-username=mastermind \
+    --docker-password=12345 \
+    --docker-email=mastermind@example.com
+secret/my-pull-secret
+
+$ oc secrets link robot secret-plans --for=mount
+
+$ oc secrets link robot my-pull-secret --for=pull
+
+$ oc describe serviceaccount robot
+Name:               robot
+Labels:             <none>
+Image pull secrets:	robot-dockercfg-624cx
+                   	my-pull-secret
+
+Mountable secrets: 	robot-token-uzkbh
+                   	robot-dockercfg-624cx
+                   	secret-plans
+
+Tokens:            	robot-token-8bhpp
+                   	robot-token-uzkbh
+----

modules/service-accounts-configuration-parameters.adoc

@@ -0,0 +1,52 @@
+// Module included in the following assemblies:
+//
+// * authentication/using-service-accounts.adoc
+
+[id='service-accounts-configuration-parameters-{context}']
+= Service account configuration parameters
+
+You can provide values for the following service account parameters in the 
+*_/etc/origin/master/master-config.yml_* file on the master host.
+
+.Service account configuration parameters
+[cols="3a,3a,6a",options="header"]
+|===
+
+| Parameter Name | Type | Description
+
+|`LimitSecretReferences`
+|Boolean
+|Controls whether or not to allow a service account to reference any secret in a
+namespace without explicitly referencing them.
+
+|`ManagedNames`
+|String
+|A list of service account names that is automatically created in each namespace.
+If no names are specified, the `ServiceAccountsController` service does not
+start.
+
+|`MasterCA`
+|String
+|The CA that verifies the TLS connection back to the master. The service account
+controller automatically injects the contents of this file into pods so they
+can verify connections to the master.
+
+|`PrivateKeyFile`
+|String
+|A file that contains a PEM-encoded private RSA key, which is used to sign
+service account tokens. If no private key is specified, the service account
+`TokensController` service does not start.
+
+|`PublicKeyFiles`
+|String
+|A list of files, each of which contains a PEM-encoded public RSA key. If any file
+contains a private key, the public portion of the key is used. The list of
+public keys is used to verify presented service account tokens. Each key is
+tried in order until the list is exhausted or verification succeeds. If no keys
+are specified, no service account authentication is available.
+
+|`ServiceAccountConfig`
+|List
+|The parameter that contains the other listed service account parameters.
+
+|===

modules/service-accounts-creating.adoc

@@ -0,0 +1,52 @@
+// Module included in the following assemblies:
+//
+// * authentication/using-service-accounts.adoc
+
+[id='service-accounts-managing-{context}']
+= Creating service accounts
+
+You can create a service account in a project and grant it permissions by
+binding it to a role.
+
+.Procedure
+
+. (Optional) To view the service accounts in the current project:
++
+[source,bash]
+----
+$ oc get sa
+
+NAME       SECRETS   AGE
+builder    2         2d
+default    2         2d
+deployer   2         2d
+----
+
+. To create a new service account in the current project:
++
+[source,bash]
+----
+$ oc create sa <service_account_name> <1>
+
+serviceaccount "robot" created
+----
+<1> To create a service account in a different project, specify `-n <project_name>`.
+
+. (Optional) View the secrets for the service account:
++
+[source,bash]
+----
+$ oc describe sa robot
+Name:		robot
+Namespace:	project1
+Labels:		<none>
+Annotations:	<none>
+
+Image pull secrets:	robot-dockercfg-qzbhb
+
+Mountable secrets: 	robot-token-f4khf
+                   	robot-dockercfg-qzbhb
+
+Tokens:            	robot-token-f4khf
+                   	robot-token-z8h44
+----

modules/service-accounts-dedicated-admin-role.adoc

@@ -0,0 +1,33 @@
+// Module included in the following assemblies:
+//
+// * authentication/using-service-accounts.adoc
+
+
+[id='service-accounts-dedicated-admin-role-{context}']
+ifdef::openshift-dedicated[]
+= Service accounts in {product-title}
+
+As an {product-title} administrator, you can use service accounts to perform any
+actions that require {product-title} `admin` roles.
+
+The `dedicated-admin` service creates the `dedicated-admins` group. This group
+is granted the roles at the cluster or individual project
+level. Users can be assigned to this group, and group membership defines who has
+{product-title} administrator access. However, by design, service accounts
+cannot be added to regular groups.
+
+Instead, the `dedicated-admin` service creates a special project for this
+purpose named `dedicated-admin`. The service account group for this project is
+granted {product-title} `admin` roles, which grants {product-title} administrator
+access to all service accounts within the `dedicated-admin` project. You can
+then use these service accounts to perform any actions that require
+{product-title} administrator access.
+
+Users that are members of the `dedicated-admins` group are granted the
+`dedicated-admin` role permissions and have `edit` access to the `dedicated-admin`
+project. These users can manage the service accounts in this project
+and create new ones as needed.
+
+Users with a `dedicated-reader` role are granted edit and view access to the
+`dedicated-reader` project and view-only access to the other projects.
+endif::[]