OCPBUGS#43809: Clarifying what's created for each service account

2026-02-05 12:46:18 +01:00 · 2025-02-03 08:14:54 -05:00
parent 6d21d15396
commit 55d6994dbb
4 changed files with 13 additions and 19 deletions
--- a/authentication/understanding-and-creating-service-accounts.adoc
+++ b/authentication/understanding-and-creating-service-accounts.adoc
@@ -8,6 +8,8 @@ toc::[]

 include::modules/service-accounts-overview.adoc[leveloffset=+1]

+include::modules/service-account-auto-secret-removed.adoc[leveloffset=+2]
+
 // include::modules/service-accounts-enabling-authentication.adoc[leveloffset=+1]

 include::modules/service-accounts-creating.adoc[leveloffset=+1]
--- a/modules/service-accounts-creating.adoc
+++ b/modules/service-accounts-creating.adoc
@@ -22,9 +22,9 @@ $ oc get sa
 [source,terminal]
 ----
 NAME       SECRETS   AGE
-builder    2         2d
-default    2         2d
-deployer   2         2d
+builder    1         2d
+default    1         2d
+deployer   1         2d
 ----

 . To create a new service account in the current project:
@@ -67,10 +67,10 @@ $ oc describe sa robot
 ----
 Name:                robot
 Namespace:           project1
-Labels:	             <none>
-Annotations:	     <none>
+Labels:              <none>
+Annotations:         openshift.io/internal-registry-pull-secret-ref: robot-dockercfg-qzbhb
 Image pull secrets:  robot-dockercfg-qzbhb
 Mountable secrets:   robot-dockercfg-qzbhb
-Tokens:              robot-token-f4khf
+Tokens:              <none>
 Events:              <none>
 ----
--- a/modules/service-accounts-granting-roles.adoc
+++ b/modules/service-accounts-granting-roles.adoc
@@ -3,7 +3,7 @@
 // * authentication/using-service-accounts.adoc

 [id="service-accounts-granting-roles_{context}"]
-= Examples of granting roles to service accounts
+= Granting roles to service accounts

 You can grant roles to service accounts in the same way that you grant roles
 to a regular user account.
--- a/modules/service-accounts-overview.adoc
+++ b/modules/service-accounts-overview.adoc
@@ -15,11 +15,12 @@ When you use the {product-title} CLI or web console, your API token
 authenticates you to the API. You can associate a component with a service account
 so that they can access the API without using a regular user's credentials.
 ifdef::openshift-online,openshift-origin,openshift-enterprise,openshift-webscale[]
+
 For example, service accounts can allow:

-* Replication controllers to make API calls to create or delete pods.
-* Applications inside containers to make API calls for discovery purposes.
-* External applications to make API calls for monitoring or integration purposes.
+* Replication controllers to make API calls to create or delete pods
+* Applications inside containers to make API calls for discovery purposes
+* External applications to make API calls for monitoring or integration purposes
 endif::[]

 Each service account's user name is derived from its project and name:
@@ -45,12 +46,3 @@ Every service account is also a member of two groups:
 specified project.

 |===
-
-Each service account automatically contains two secrets:
-
-* An API token
-* Credentials for the OpenShift Container Registry
-
-The generated API token and registry credentials do not expire, but you can
-revoke them by deleting the secret. When you delete the secret, a new one is
-automatically generated to take its place.