Overview
When CircleCI jobs run on a Container Runner in Kubernetes, the dynamically created task pods use the default service account by default. This article explains how to configure these pods to use a custom service account instead, which is useful for assigning specific IAM roles or permissions.
Problem
By default, CircleCI job pods are scheduled with the default service account in your Kubernetes namespace, but you may need to:
- Associate specific IAM roles with CircleCI job pods
- Use service account-based permissions that differ from the default
- Maintain security best practices by avoiding modifications to the default service account
Solution
You can specify a custom service account for your task pods by configuring it in your Helm chart's values.yaml file under the resource class configuration:
agent:
resourceClasses:
<namespace>/<resource_class>:
spec:
serviceAccountName: <service_account_name>Replace:
-
<namespace>/<resource_class>with your namespace and resource class name -
<service_account_name>with the name of the service account you want to use
Implementation
After updating your values.yaml file, apply the changes by upgrading your Helm deployment:
$ helm upgrade container-agent container-agent/container-agent -n <namespace> -f values.yamlReplace <namespace> with your actual namespace name.
Note
Make sure the service account you specify already exists in the namespace and has the necessary permissions for your workloads.
Additional Resources
Comments
Article is closed for comments.