Skip to main content

ServiceAccount

Overview

ServiceAccount provides an identity for machinery access to Kubernetes cluster's API. In Puzl, the ServiceAccount named default is created within each Claim Namespace by GitLabPipelinesIntegration. It's designed to ensure secure and granular access to various resources within the platform in the context of the related GitLabPipelinesIntegration.

The Puzl account owner, which is supposed to be administrator, can directly access the Kubernetes API using their Puzl account credentials. However, external users, such as GitLab group/project maintainers or owners, aren't Puzl account holders. The ServiceAccount provides them with the capabilities to create and manage runners for their CI/CD needs without contacting administrator and without needing to know any specifics about Puzl.

Permissions

default account always has full permissions on GitLabRunnerClaim resources in the related Claim Namespace, which is the minimal possible permission set.

Other permissions associated with the ServiceAccount are determined by the spec.serviceAccountPermissions section of the GitLabPipelinesIntegration.

Issuing Tokens for ServiceAccount

When granting access to a GitLab project/group maintainer or owner via a ServiceAccount, Puzl offers the use of a persisted token. Here's why and how you can set it up.

Kubernetes provides a feature where you can issue a persisted token by creating a Secret of a special type kubernetes.io/service-account-token. While the term "persisted" might sound risky, its security is ensured in Puzl. The permissions and access controls of the ServiceAccount in Puzl are finely grained and scoped by the related GitLabPipelinesIntegration only, ensuring tight security.

Given that these tokens don't expire, they are particularly useful for long-term access or for use cases where token rotation might pose operational challenges. It's also easy to instantly revoke all the persisted tokens issued in the Claim Namespace if needed.

To understand how to generate and manage these persisted tokens, please refer to the official Kubernetes documentation on Service Account Tokens.

Revoking Access

If you need to securely revoke access:

  1. Delete all Secrets within the namespace:

    kubectl delete secrets --all -n <Your_Integration_claimNamespaceRef>

  2. Re-issue tokens in all GitLabRunnerClaim objects existing in this namespace.