Bring your own Kubernetes service accounts
In Astronomer Software, you can disable automatic creation of Service Accounts (SA), and use a pre-created service account. When you do this, you can either define service accounts manually, or use a service account creation template.
Using a pre-created service account, Organizations can create using a central authority or system, without granting Astronomer Software similarly elevated permissions.
Step 1: Create a service account template
Use the registry template to create a service account template. The following examples use a service account saved with the name, custom-sa.
Step 2: Disable automatic service account creation
- Disable Astronomer from creating Roles, RoleBindings, and other SAs in the namespace by setting the global config
rbacEnabledandserviceAccount.createtofalseglobally:
global:
rbacEnabled: false
serviceAccount:
create: false
- You must also set
serviceAccount.createtofalsefor each component that will use a custom SA:commander,configsyncer,houston, andhouston-worker.
global:
dagOnlyDeployment:
enabled: true
serviceAccount:
create: false
astronomer:
airflowChartVersion: <your-airflow-chart-version>
houston:
config:
deployments:
helm:
airflow:
rbac:
create: false
scheduler:
serviceAccount:
create: false
flower:
serviceAccount:
create: false
webserver:
serviceAccount:
create: false
triggerer:
serviceAccount:
create: false
pgbouncer:
serviceAccount:
create: false
migrateDatabaseJob:
serviceAccount:
create: false
statsd:
serviceAccount:
create: false
redis:
serviceAccount:
create: false
cleanup:
serviceAccount:
create: false
workers:
serviceAccount:
create: false
Step 3: Apply the config change.
Then apply the config change.