This topic describes how you can create a service account with a custom cluster role for Supply Chain Security Tools (SCST)- Store.
If you do not want to bind to the default cluster role, create a read-only role in the metadata-store
namespace with a service account. The following example creates a service account named metadata-store-read-client
:
kubectl apply -f - -o yaml << EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: metadata-store-ro
namespace: metadata-store
rules:
- resources: ["all"]
verbs: ["get"]
apiGroups: [ "metadata-store/v1" ]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: metadata-store-ro
namespace: metadata-store
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: metadata-store-ro
subjects:
- kind: ServiceAccount
name: metadata-store-read-client
namespace: metadata-store
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: metadata-store-read-client
namespace: metadata-store
annotations:
kapp.k14s.io/change-group: "metadata-store.apps.tanzu.vmware.com/service-account"
automountServiceAccountToken: false
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: metadata-store-read-client
namespace: metadata-store
annotations:
kapp.k14s.io/change-rule: "upsert after upserting metadata-store.apps.tanzu.vmware.com/service-account"
kubernetes.io/service-account.name: "metadata-store-read-client"
EOF