Multiple Service Accounts

Using Multiple Service Accounts

There may be a need to have multiple service accounts to provide only the necessary permissions to various objects that the operator creates on a Kubernetes cluster.

This can be accomplished by using the --extra-service-accounts flag when generating the bundle with make bundle.

Updating the Makefile to use --extra-service-accounts

Update the bundle target in the Makefile to add the --extra-service-accounts flag with the name of the desired service account. This ensures that the permissions and configurations do not get overwritten by make bundle. For example, modify the line that contains operator-sdk generate bundle similar to below replacing myOperator-name-additional-service-account to the desired service account name appended to the operator name.

bundle: manifests kustomize operator-sdk ## Generate bundle manifests and metadata, then validate generated files.
	operator-sdk generate kustomize manifests -q
	cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG)
	$(KUSTOMIZE) build config/manifests | operator-sdk generate bundle -q --overwrite --extra-service-accounts myOperator-name-additional-service-account --version $(VERSION) $(BUNDLE_METADATA_OPTS)
	operator-sdk bundle validate ./bundle

The --extra-service-accounts flag takes a comma-separated list of strings, so you can add more than a single service account name if desired.

Add RBAC configurations for --extra-service-accounts

These steps will need to be followed for every additional service account.

  1. Create a new service account file. For example:

    cat << EOF > config/rbac/additional_service_account.yaml
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: additional-service-account
      namespace: system
    EOF
    
  2. Create a role binding. In this example, it is a ClusterRoleBinding:

    cat << EOF > config/rbac/additional_role_binding.yaml
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: additional-service-account-rolebinding
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: additional-service-account-role
    subjects:
    - kind: ServiceAccount
      name: additional-service-account
      namespace: system
    EOF
    
  3. Create a role with desired permissions. In this example, it is a ClusterRole that provides permission to the privileged SecurityContextConstraint (SCC).

    cat << EOF > config/rbac/additional_role.yaml
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      creationTimestamp: null
      name: additional-service-account-role
    rules:
    - apiGroups:
      - security.openshift.io
      resourceNames:
      - privileged
      resources:
      - securitycontextconstraints
      verbs:
      - use
    EOF
    

Update the RBAC kustomization.yaml

Make sure to update the RBAC configuration kustomization.yaml file with the previously created RBAC yaml files. For example:

cat << EOF >> config/rbac/kustomization.yaml

# Add MyCustomObject service account
- additional_service_account.yaml
- additional_role.yaml
- additional_role_binding.yaml
EOF