Got it, that explains.

Gratly apprciated your help. Am able to get what I want.

--
Srinivas Kotaru

From: Jordan Liggitt <jligg...@redhat.com>
Date: Thursday, December 1, 2016 at 2:19 PM
To: Srinivas Naga Kotaru <skot...@cisco.com>
Cc: dev <dev@lists.openshift.redhat.com>
Subject: Re: cluster wide service acount

The dockercfg secret contains the value of one of the tokens (which is required 
to exist in order for the service account token to continue to be a valid 
credential) in dockercfg format

On Thu, Dec 1, 2016 at 4:59 PM, Srinivas Naga Kotaru (skotaru) 
<skot...@cisco.com<mailto:skot...@cisco.com>> wrote:
For Docker login purpose, I could see another token ( I think this is what you 
are talking about)

cae-ops-dockercfg-04ccd    
kubernetes.io/dockercfg<http://kubernetes.io/dockercfg>               1         
1h
cae-ops-token-5vrkf        
kubernetes.io/service-account-token<http://kubernetes.io/service-account-token> 
  3         1h
cae-ops-token-jdhez        
kubernetes.io/service-account-token<http://kubernetes.io/service-account-token> 
  3         1h

1st token being used for Docker. Was wondering about other 2 tokens.

--
Srinivas Kotaru

From: Jordan Liggitt <jligg...@redhat.com<mailto:jligg...@redhat.com>>
Date: Thursday, December 1, 2016 at 1:39 PM

To: Srinivas Naga Kotaru <skot...@cisco.com<mailto:skot...@cisco.com>>
Cc: dev <dev@lists.openshift.redhat.com<mailto:dev@lists.openshift.redhat.com>>
Subject: Re: cluster wide service acount

One token is the one generated to mount into pods that run as the service 
account.
The other is the one wrapped into a dockercfg secret used as a credential 
against the internal docker registry.

On Thu, Dec 1, 2016 at 3:56 PM, Srinivas Naga Kotaru (skotaru) 
<skot...@cisco.com<mailto:skot...@cisco.com>> wrote:
Thanks, it is working.  Able to login using service account token

# oc get sa
# oc get secrets
#  oc get  secret  cae-ops-token-5vrkf  --template='{{.data.token}}'

decode base64 token

# oc login –token=<decoded token>

Qeustion:

I can see 2 secrets for each service accont and both are valied to login. Any 
idea why 2 ?

# oc get secrets

cae-ops-token-5vrkf        
kubernetes.io/service-account-token<http://kubernetes.io/service-account-token> 
  3         35m
cae-ops-token-jdhez        
kubernetes.io/service-account-token<http://kubernetes.io/service-account-token> 
  3         35m

--
Srinivas Kotaru

From: Jordan Liggitt <jligg...@redhat.com<mailto:jligg...@redhat.com>>
Date: Thursday, December 1, 2016 at 12:26 PM

To: Srinivas Naga Kotaru <skot...@cisco.com<mailto:skot...@cisco.com>>
Cc: dev <dev@lists.openshift.redhat.com<mailto:dev@lists.openshift.redhat.com>>
Subject: Re: cluster wide service acount

If you have the service account's token, you can use it from the command line 
like this:

oc login --token=...

The web console does not provide a way to log in with a service account token.

On Thu, Dec 1, 2016 at 3:19 PM, Srinivas Naga Kotaru (skotaru) 
<skot...@cisco.com<mailto:skot...@cisco.com>> wrote:
Jordan

That helps. Thanks for quick help.

Can we use this sa account to login into console and OC clinet? If yes how? I 
knew SA account only has non expired token but no password


--
Srinivas Kotaru

From: Jordan Liggitt <jligg...@redhat.com<mailto:jligg...@redhat.com>>
Date: Thursday, December 1, 2016 at 12:04 PM
To: Srinivas Naga Kotaru <skot...@cisco.com<mailto:skot...@cisco.com>>
Cc: dev <dev@lists.openshift.redhat.com<mailto:dev@lists.openshift.redhat.com>>
Subject: Re: cluster wide service acount

Service accounts exist within a namespace but can be granted permissions across 
the entire cluster, just like any other user. For example:
oadm policy add-cluster-role-to-user cluster-reader 
system:serviceaccount:openshift-infra:monitor-service-account

On Thu, Dec 1, 2016 at 3:02 PM, Srinivas Naga Kotaru (skotaru) 
<skot...@cisco.com<mailto:skot...@cisco.com>> wrote:
I knew we can create a service account per project and can be used as a 
password less API work and automations activities. Can we create a service 
account at cluster level and can be used for platform operations (monitoring, 
automation, shared account for operation teams)?

Intention is to have expiry free tokens.

--
Srinivas Kotaru

_______________________________________________
dev mailing list
dev@lists.openshift.redhat.com<mailto:dev@lists.openshift.redhat.com>
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev




_______________________________________________
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Reply via email to