docs/doc/source/security/kubernetes/create-an-admin-type-service-account.rst

Create an Admin Type Service Account

An admin type user typically has full permissions to cluster-scoped resources as well as full permissions to all resources scoped to any namespaces.

A cluster-admin ClusterRole is defined by default for such a user. To create an admin service account with cluster-admin role, use the following procedure:

Note

It is recommended that you create and manage service accounts within the kube-system namespace.

1. Create the user definition.

   For example:

   % cat <<EOF > admin-user.yaml
   apiVersion: v1
   kind: ServiceAccount
   metadata:
     name: admin-user
     namespace: kube-system
   ---
   apiVersion: v1
   kind: Secret
   type: kubernetes.io/service-account-token
   metadata:
     name: admin-user-sa-token
     namespace: kube-system
     annotations:
       kubernetes.io/service-account.name: admin-user
   ---
   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRoleBinding
   metadata:
     name: admin-user
   roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: ClusterRole
     name: cluster-admin
   subjects:
   - kind: ServiceAccount
     name: admin-user
     namespace: kube-system
   EOF

2. Apply the configuration.

   % kubectl apply -f admin-user.yaml

See : Configure Remote CLI Access <configure-remote-cli-access> for details on how to setup remote CLI access using tools such as kubectl and helm for a service account such as this.

Note

can also use user accounts defined in an external Windows Active Directory to authenticate Kubernetes API, kubectl CLI or the Kubernetes Dashboard. For more information, see Configure OIDC Auth Applications <configure-oidc-auth-applications>.