Why does the gateway helm deployment use a Service Account .
search cancel

Why does the gateway helm deployment use a Service Account .

book

Article ID: 278963

calendar_today

Updated On: 02-28-2024

Products

CA API Gateway

Issue/Introduction

When trying to install a gateway using the gateway helm charts 

helm install layer7 layer7/gateway --set-file "license.value=/Broadcom/license.xml" --set "license.accept=true" -f ./custom-values.yaml

We get the next error:

Error: INSTALLATION FAILED: failed pre-install: serviceaccounts "layer7-gateway" is forbidden: User "xxxxxx" cannot delete resource "serviceaccounts" in API group "" in the namespace "xxxxxxxx

why do we need  a service account ?

Resolution

The service account is used by the pmtagger pod.

This pod needs to query kubenetes API and update some of the networks to ensure policymanager traffic only goes to one pod .

ServiceAccount:
 # name:
  create: true
 # If pmtagger is enabled the Gateway Service Account will need to have 
 # list/patch permissions for Pods.
  rbac:
    create: true