Skip to main content
Version: main 🚧

Workload service account

Limited vCluster Tenancy Configuration Support

This feature is only available for the following:

Running the control plane as a container and the following worker node types:
  • Host Nodes
  • Private Nodes

The workloadServiceAccount allows you to enforce the use of a specific ServiceAccount for all vCluster workload pods running in the host cluster. For example, you can attach a shared imagePullSecret to the ServiceAccount so that all synced pods use the same secret when pulling container images.

controlPlane:
  advanced:
    workloadServiceAccount:
      enabled: true
      name: image-pull-sa
      imagePullSecrets:
        - name: workload-service-account-image-pull-secret
note

The pod specification (spec) of the synced workloads should not define its own imagePullSecrets. This is because imagePullSecrets are only copied from the ServiceAccount to the pod when the pod specification does not already include them.

The referenced imagePullSecrets must also exist in the host namespace where the vCluster’s workload pods are synced.

An easy way to achieve this is by using Virtual Cluster Templates. In addition to allowing you to add arbitrary Kubernetes objects inside the virtual cluster, Virtual Cluster Templates also enable you to create arbitrary Kubernetes objects in the host cluster namespace where the vCluster’s StatefulSet is deployed.

If syncing ServiceAccount resources from the virtual cluster to the host cluster is enabled, the workloadServiceAccount setting is ignored.

Config reference​

workloadServiceAccount required object ​

WorkloadServiceAccount specifies options for the service account that will be used for the workloads that run within the virtual cluster.

enabled required boolean true ​

Enabled specifies if the service account for the workloads should get deployed.

name required string ​

Name specifies what name to use for the service account for the virtual cluster workloads.

imagePullSecrets required object[] ​

ImagePullSecrets defines extra image pull secrets for the workload service account.

name required string ​

Name of the image pull secret to use.

annotations required object {} ​

Annotations are extra annotations for this resource.

labels required object {} ​

Labels are extra labels for this resource.