Introducing Multicluster-Service-Account

Admiralty just open-sourced multicluster-service-account, for when you need a pod in a cluster to call the Kubernetes API server of another cluster, i.e., cross-cluster authentication, useful in some hybrid and multicloud architectures.

Check out the introduction blog post (the why?) and the project on GitHub (the how?).

Multicluster-service-account consists of:

  1. a ServiceAccountImport custom resource definition (CRD) and controller to import remote service accounts (and their secrets);
  2. a dynamic admission webhook to automount service account import secrets inside annotated pods, the same way regular service accounts are automounted inside pods;
  3. a Go library of helper methods to generate client-go configurations from service account imports (as well as generic methods to fall back to kubeconfig contexts and regular service accounts).

Multicluster-controller has been updated to be compatible with multicluster-service-account.