For Docker login purpose, I could see another token ( I think this is what you 
are talking about)

cae-ops-dockercfg-04ccd    kubernetes.io/dockercfg               1         1h
cae-ops-token-5vrkf        kubernetes.io/service-account-token   3         1h
cae-ops-token-jdhez        kubernetes.io/service-account-token   3         1h

1st token being used for Docker. Was wondering about other 2 tokens.

--
Srinivas Kotaru

From: Jordan Liggitt <jligg...@redhat.com>
Date: Thursday, December 1, 2016 at 1:39 PM
To: Srinivas Naga Kotaru <skot...@cisco.com>
Cc: dev <dev@lists.openshift.redhat.com>
Subject: Re: cluster wide service acount

One token is the one generated to mount into pods that run as the service 
account.
The other is the one wrapped into a dockercfg secret used as a credential 
against the internal docker registry.

On Thu, Dec 1, 2016 at 3:56 PM, Srinivas Naga Kotaru (skotaru) 
<skot...@cisco.com<mailto:skot...@cisco.com>> wrote:
Thanks, it is working.  Able to login using service account token

# oc get sa
# oc get secrets
#  oc get  secret  cae-ops-token-5vrkf  --template='{{.data.token}}'

decode base64 token

# oc login –token=<decoded token>

Qeustion:

I can see 2 secrets for each service accont and both are valied to login. Any 
idea why 2 ?

# oc get secrets

cae-ops-token-5vrkf        
kubernetes.io/service-account-token<http://kubernetes.io/service-account-token> 
  3         35m
cae-ops-token-jdhez        
kubernetes.io/service-account-token<http://kubernetes.io/service-account-token> 
  3         35m

--
Srinivas Kotaru

From: Jordan Liggitt <jligg...@redhat.com<mailto:jligg...@redhat.com>>
Date: Thursday, December 1, 2016 at 12:26 PM

To: Srinivas Naga Kotaru <skot...@cisco.com<mailto:skot...@cisco.com>>
Cc: dev <dev@lists.openshift.redhat.com<mailto:dev@lists.openshift.redhat.com>>
Subject: Re: cluster wide service acount

If you have the service account's token, you can use it from the command line 
like this:

oc login --token=...

The web console does not provide a way to log in with a service account token.

On Thu, Dec 1, 2016 at 3:19 PM, Srinivas Naga Kotaru (skotaru) 
<skot...@cisco.com<mailto:skot...@cisco.com>> wrote:
Jordan

That helps. Thanks for quick help.

Can we use this sa account to login into console and OC clinet? If yes how? I 
knew SA account only has non expired token but no password


--
Srinivas Kotaru

From: Jordan Liggitt <jligg...@redhat.com<mailto:jligg...@redhat.com>>
Date: Thursday, December 1, 2016 at 12:04 PM
To: Srinivas Naga Kotaru <skot...@cisco.com<mailto:skot...@cisco.com>>
Cc: dev <dev@lists.openshift.redhat.com<mailto:dev@lists.openshift.redhat.com>>
Subject: Re: cluster wide service acount

Service accounts exist within a namespace but can be granted permissions across 
the entire cluster, just like any other user. For example:
oadm policy add-cluster-role-to-user cluster-reader 
system:serviceaccount:openshift-infra:monitor-service-account

On Thu, Dec 1, 2016 at 3:02 PM, Srinivas Naga Kotaru (skotaru) 
<skot...@cisco.com<mailto:skot...@cisco.com>> wrote:
I knew we can create a service account per project and can be used as a 
password less API work and automations activities. Can we create a service 
account at cluster level and can be used for platform operations (monitoring, 
automation, shared account for operation teams)?

Intention is to have expiry free tokens.

--
Srinivas Kotaru

_______________________________________________
dev mailing list
dev@lists.openshift.redhat.com<mailto:dev@lists.openshift.redhat.com>
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev



_______________________________________________
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Reply via email to