This topic explains how you can create service accounts for Supply Chain Security Tools (SCST) - Store.
When you install Tanzu Application Platform, the Supply Chain Security
Tools (SCST) - Store deployment automatically includes a read-write service
account.
This service account is bound to the metadata-store-read-write
role.
There are two types of SCST - Store service accounts:
- Read-write service account - full access to the
POST
andGET
API requests - Read-only service account - can only use
GET
API requests
When you install Tanzu Application Platform, the SCST - Store deployment automatically includes a read-write service account.
This service account is already bound to the metadata-store-read-write
role.
To create an additional read-write service account, run the following command.
The command creates a service account called metadata-store-read-write-client
:
kubectl apply -f - -o yaml << EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: metadata-store-read-write
namespace: metadata-store
rules:
- resources: ["all"]
verbs: ["get", "create", "update"]
apiGroups: [ "metadata-store/v1" ]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: metadata-store-read-write
namespace: metadata-store
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: metadata-store-read-write
subjects:
- kind: ServiceAccount
name: metadata-store-read-write-client
namespace: metadata-store
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: metadata-store-read-write-client
namespace: metadata-store
annotations:
kapp.k14s.io/change-group: "metadata-store.apps.tanzu.vmware.com/service-account"
automountServiceAccountToken: false
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: metadata-store-read-write-client
namespace: metadata-store
annotations:
kapp.k14s.io/change-rule: "upsert after upserting metadata-store.apps.tanzu.vmware.com/service-account"
kubernetes.io/service-account.name: "metadata-store-read-write-client"
EOF
You can create a read-only service account with a default cluster role or with a custom cluster role.
During Store installation, the metadata-store-read-only
cluster role
is created by default. This cluster role allows the bound user to have get
access to all resources. To bind to this cluster role, run the following command:
kubectl apply -f - -o yaml << EOF
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: metadata-store-read-only
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: metadata-store-read-only
subjects:
- kind: ServiceAccount
name: metadata-store-read-client
namespace: metadata-store
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: metadata-store-read-client
namespace: metadata-store
annotations:
kapp.k14s.io/change-group: "metadata-store.apps.tanzu.vmware.com/service-account"
automountServiceAccountToken: false
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: metadata-store-read-client
namespace: metadata-store
annotations:
kapp.k14s.io/change-rule: "upsert after upserting metadata-store.apps.tanzu.vmware.com/service-account"
kubernetes.io/service-account.name: "metadata-store-read-client"
EOF
If using the default role is not sufficient, see Create a service account with a custom cluster role.