Thank you for this Video on service accounts, so we have a way on automating certain tasks but also to see, that they can have only certain permissions
So when setting up workload id in aks, the service account uses has to be in the same namespace as the pod that you’re using that service account with? Is this also the same for secrets provider class?
Simple yet very clear explanation. Thanks Piyush!! In real-time, Do we use the default Service Account token or explicit Secret for a long lived token?
Service accounts are better than using secrets as the secrets are stored in encoded format not encrypted. or you use cloud features such as workload identity (GKE) or any secret management service such as key vault , hashicorp vault, sealed secrets etc
I tried to get pods with curl, SA and token. It didn't work, returned: 403 Forbidden, what I found out: 16:24 this won't work with ServiceAccount and Token API access, when binding role to SA, you need to use serviceaccount instead of user, in this case: k create rolebinding rb --role build-role --serviceaccount default:build-sa 17:00 then this also won't work for SA, it should be: k auth can-i get pods --as system:serviceaccount:default:build-sa
hey bro It's very crisp and clear explanation. But i have one question is that, in real time production environment does docker and jenkins is installed on the same server or different? Thanks
Thank you brother 🙏 Usually Jenkins works in a master slave architecture wherein Jenkins master provision multiple build servers to run the builds and these servers uses base image with docker installed.
Piysuh. I appreciate your effort but with all due respect this video should be revisited. The serviceAccount should be the one you created "build-sa" and not "default" at 18:13 I think the reason why "get pods" worked when you impersonated build-sa is simple : even though you created a service account as "build-sa", while rolebinding you bound the role with an "user" as build-sa and not "serviceAccount" as build-sa 16:44
That is really a good catch! Thank you for sharing it, yes build-sa is a user and not a service account. The pod was created using the default service account hence, it is showing those details. Thank you for sharing this.
Completed the video...!!!!!
Happy New Year
Thanks piyush it was really insightful!
Thanks for a neat and crisp explanation on Service Accounts
Glad it was helpful! I just have updated the github repo as well
Thank you Piyush, that is very helpful!
Welcome!
Thank you for this Video on service accounts, so we have a way on automating certain tasks but also to see, that they can have only certain permissions
Welcome
Awesome, learned a lot.
Thanks, I'm glad you found it helpful!
thanks for sharing the full course for free. appreciate it.
You're very welcome
Thanks for sharing!
Thank you Piyush
Thank You Piush, i am reaching here.
All the best
Comment for target...!!!!!
thanks piyusssh
welcome buddy 😊
Shukriya
🙏🙏❤️
So when setting up workload id in aks, the service account uses has to be in the same namespace as the pod that you’re using that service account with?
Is this also the same for secrets provider class?
Simple yet very clear explanation. Thanks Piyush!!
In real-time, Do we use the default Service Account token or explicit Secret for a long lived token?
Service accounts are better than using secrets as the secrets are stored in encoded format not encrypted. or you use cloud features such as workload identity (GKE) or any secret management service such as key vault , hashicorp vault, sealed secrets etc
I tried to get pods with curl, SA and token. It didn't work, returned: 403 Forbidden, what I found out:
16:24 this won't work with ServiceAccount and Token API access, when binding role to SA, you need to use serviceaccount instead of user, in this case:
k create rolebinding rb --role build-role --serviceaccount default:build-sa
17:00 then this also won't work for SA, it should be:
k auth can-i get pods --as system:serviceaccount:default:build-sa
Yes, I accidentally used user instead of service account, good catch!
Sir I am coming from seeing the Abhishek sir CDN video..
Thanks for coming
@@TechTutorialswithPiyush ❤️❤️
hey bro
It's very crisp and clear explanation. But i have one question is that, in real time production environment does docker and jenkins is installed on the same server or different?
Thanks
Thank you brother 🙏
Usually Jenkins works in a master slave architecture wherein Jenkins master provision multiple build servers to run the builds and these servers uses base image with docker installed.
Piysuh. I appreciate your effort but with all due respect this video should be revisited.
The serviceAccount should be the one you created "build-sa" and not "default" at 18:13
I think the reason why "get pods" worked when you impersonated build-sa is simple : even though you created a service account as "build-sa", while rolebinding you bound the role with an "user" as build-sa and not "serviceAccount" as build-sa 16:44
That is really a good catch! Thank you for sharing it, yes build-sa is a user and not a service account. The pod was created using the default service account hence, it is showing those details. Thank you for sharing this.