Bring your own Kubernetes service accounts

In Astronomer Software, you can disable automatic creation of Service Accounts (SA), and use a pre-created service account. When you do this, you can either define service accounts manually, or use a service account creation template.

Using a pre-created service account, Organizations can create using a central authority or system, without granting Astronomer Software similarly elevated permissions.

Step 1: Create a service account template

Use the registry template to create a service account template. The following examples use a service account saved with the name, custom-sa.

Step 2: Disable automatic service account creation

Disable Astronomer from creating Roles, RoleBindings, and other SAs in the namespace by setting the global config rbacEnabled and serviceAccount.create to false globally:

1 global:
2   rbacEnabled: false
3   serviceAccount:
4     create: false

You must also set serviceAccount.create to false for each component that will use a custom SA: commander, configsyncer, houston, and houston-worker.

1 global:
2   dagOnlyDeployment:
3     enabled: true
4     serviceAccount:
5       create: false
6 astronomer:
7   airflowChartVersion: <your-airflow-chart-version>
8   houston:
9     config:
10       deployments:
11         helm:
12           airflow:
13             rbac:
14               create: false
15 
16             scheduler:
17               serviceAccount:
18                 create: false
19 
20             flower:
21               serviceAccount:
22                 create: false
23 
24             webserver:
25               serviceAccount:
26                 create: false
27 
28             triggerer:
29               serviceAccount:
30                 create: false
31 
32             pgbouncer:
33               serviceAccount:
34                 create: false
35 
36             migrateDatabaseJob:
37               serviceAccount:
38                 create: false
39 
40             statsd:
41               serviceAccount:
42                 create: false
43             redis:
44               serviceAccount:
45                 create: false
46 
47             cleanup:
48               serviceAccount:
49                 create: false
50 
51             workers:
52               serviceAccount:
53                 create: false

Step 3: Apply the config change.

Then apply the config change.