diff --git a/authentication/understanding-and-creating-service-accounts.adoc b/authentication/understanding-and-creating-service-accounts.adoc index ed1854708470..d0cec995b025 100644 --- a/authentication/understanding-and-creating-service-accounts.adoc +++ b/authentication/understanding-and-creating-service-accounts.adoc @@ -8,6 +8,8 @@ toc::[] include::modules/service-accounts-overview.adoc[leveloffset=+1] +include::modules/service-account-auto-secret-removed.adoc[leveloffset=+2] + // include::modules/service-accounts-enabling-authentication.adoc[leveloffset=+1] include::modules/service-accounts-creating.adoc[leveloffset=+1] diff --git a/modules/service-accounts-creating.adoc b/modules/service-accounts-creating.adoc index 78bdd4833421..1777bd46c5a0 100644 --- a/modules/service-accounts-creating.adoc +++ b/modules/service-accounts-creating.adoc @@ -22,9 +22,9 @@ $ oc get sa [source,terminal] ---- NAME SECRETS AGE -builder 2 2d -default 2 2d -deployer 2 2d +builder 1 2d +default 1 2d +deployer 1 2d ---- . To create a new service account in the current project: @@ -67,10 +67,10 @@ $ oc describe sa robot ---- Name: robot Namespace: project1 -Labels: -Annotations: +Labels: +Annotations: openshift.io/internal-registry-pull-secret-ref: robot-dockercfg-qzbhb Image pull secrets: robot-dockercfg-qzbhb Mountable secrets: robot-dockercfg-qzbhb -Tokens: robot-token-f4khf +Tokens: Events: ---- diff --git a/modules/service-accounts-granting-roles.adoc b/modules/service-accounts-granting-roles.adoc index be123ea2213b..bcab0ad027c5 100644 --- a/modules/service-accounts-granting-roles.adoc +++ b/modules/service-accounts-granting-roles.adoc @@ -3,7 +3,7 @@ // * authentication/using-service-accounts.adoc [id="service-accounts-granting-roles_{context}"] -= Examples of granting roles to service accounts += Granting roles to service accounts You can grant roles to service accounts in the same way that you grant roles to a regular user account. diff --git a/modules/service-accounts-overview.adoc b/modules/service-accounts-overview.adoc index 3c330053edcc..c029e7a21a0c 100644 --- a/modules/service-accounts-overview.adoc +++ b/modules/service-accounts-overview.adoc @@ -15,11 +15,12 @@ When you use the {product-title} CLI or web console, your API token authenticates you to the API. You can associate a component with a service account so that they can access the API without using a regular user's credentials. ifdef::openshift-online,openshift-origin,openshift-enterprise,openshift-webscale[] + For example, service accounts can allow: -* Replication controllers to make API calls to create or delete pods. -* Applications inside containers to make API calls for discovery purposes. -* External applications to make API calls for monitoring or integration purposes. +* Replication controllers to make API calls to create or delete pods +* Applications inside containers to make API calls for discovery purposes +* External applications to make API calls for monitoring or integration purposes endif::[] Each service account's user name is derived from its project and name: @@ -45,12 +46,3 @@ Every service account is also a member of two groups: specified project. |=== - -Each service account automatically contains two secrets: - -* An API token -* Credentials for the OpenShift Container Registry - -The generated API token and registry credentials do not expire, but you can -revoke them by deleting the secret. When you delete the secret, a new one is -automatically generated to take its place.