This topic explains how you can create service accounts for Supply Chain Security Tools (SCST) - Store.
When you install Tanzu Application Platform, the SCST - Store deployment automatically includes a read-write service account. This service account is bound to the metadata-store-read-write
role.
There are two types of SCST - Store service accounts:
POST
and GET
API requestsGET
API requestsWhen you install Tanzu Application Platform, the SCST - Store deployment automatically includes a read-write service account. This service account is already bound to the metadata-store-read-write
role.
To create an additional read-write service account, create a service account called metadata-store-read-write-client
by running:
kubectl apply -f - -o yaml << EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: metadata-store-read-write
namespace: metadata-store
rules:
- resources: ["all"]
verbs: ["get", "create", "update"]
apiGroups: [ "metadata-store/v1" ]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: metadata-store-read-write
namespace: metadata-store
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: metadata-store-read-write
subjects:
- kind: ServiceAccount
name: metadata-store-read-write-client
namespace: metadata-store
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: metadata-store-read-write-client
namespace: metadata-store
annotations:
kapp.k14s.io/change-group: "metadata-store.apps.tanzu.vmware.com/service-account"
automountServiceAccountToken: false
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: metadata-store-read-write-client
namespace: metadata-store
annotations:
kapp.k14s.io/change-rule: "upsert after upserting metadata-store.apps.tanzu.vmware.com/service-account"
kubernetes.io/service-account.name: "metadata-store-read-write-client"
EOF
You can create a read-only service account with a default cluster role or with a custom cluster role.
During Store installation, the metadata-store-read-only
cluster role is created by default. This cluster role permits the bound user to have get
access to all resources. To bind to this cluster role, run the following command:
kubectl apply -f - -o yaml << EOF
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: metadata-store-read-only
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: metadata-store-read-only
subjects:
- kind: ServiceAccount
name: metadata-store-read-client
namespace: metadata-store
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: metadata-store-read-client
namespace: metadata-store
annotations:
kapp.k14s.io/change-group: "metadata-store.apps.tanzu.vmware.com/service-account"
automountServiceAccountToken: false
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: metadata-store-read-client
namespace: metadata-store
annotations:
kapp.k14s.io/change-rule: "upsert after upserting metadata-store.apps.tanzu.vmware.com/service-account"
kubernetes.io/service-account.name: "metadata-store-read-client"
EOF
If the default role is not enough for your needs, see Create a service account with a custom cluster role.