Admiralty just open-sourced multicluster-service-account, for when you need a pod in a cluster to call the Kubernetes API server of another cluster, i.e., cross-cluster authentication, useful in some hybrid and multicloud architectures.
Check out the introduction blog post (the why?) and the project on GitHub (the how?).
Multicluster-service-account consists of:
- a ServiceAccountImport custom resource definition (CRD) and controller to import remote service accounts (and their secrets);
- a dynamic admission webhook to automount service account import secrets inside annotated pods, the same way regular service accounts are automounted inside pods;
- a Go library of helper methods to generate client-go configurations from service account imports (as well as generic methods to fall back to kubeconfig contexts and regular service accounts).
Multicluster-controller has been updated to be compatible with multicluster-service-account.