Sample of Create a ClusterRoleBinding to allow a default service account to use a gMSA credential specification cluster-wide.
search cancel

Sample of Create a ClusterRoleBinding to allow a default service account to use a gMSA credential specification cluster-wide.

book

Article ID: 439052

calendar_today

Updated On:

Products

VMware vSphere Kubernetes Service

Issue/Introduction

This is an example of Create a ClusterRoleBinding to allow a default service account to use a gMSA credential specification cluster-wide.

Environment

VMware vSphere Kubernetes Service

Resolution

Create a ClusterRoleBinding to allow a default service account to use a gMSA credential specification cluster-wide.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: allow-default-svc-account-read-on-myservice-gmssa
subjects:
- kind: Group
  name: system:serviceaccounts
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: myservice-gmsa
  apiGroup: rbac.authorization.k8s.io

Additional Information

Create a role binding in the workload namespace:

https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vsphere-supervisor-services-and-standalone-components/latest/managing-vsphere-kuberenetes-service-clusters-and-workloads/provisioning-tkg-service-clusters/configuringwindowsnodepooltousegroupmanagedserviceaccounds/using-group-managed-service-accounts-in-kubernetes.html

RoleBindings and ClusterRoleBinding:

https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere-supervisor/8-0/using-tkg-service-with-vsphere-supervisor/managing-security-for-tkg-service-clusters/apply-default-pod-security-policy-to-tkg-service-clusters.html

Powered by Wolken Software