GITBOOK-29: C9s-62 + 59 : Support service accounts with registry secrets

2026-03-27 04:48:31 +07:00 · 2026-03-24 06:44:40 +00:00
parent 23d82b7989
commit 6d70693c5f
7 changed files with 24 additions and 5 deletions
--- a/.gitbook/assets/2.40-service-account-details.png
+++ b/.gitbook/assets/2.40-service-account-details.png
--- a/.gitbook/assets/2.40.0-Add-new-registry.gif
+++ b/.gitbook/assets/2.40.0-Add-new-registry.gif
--- a/.gitbook/assets/2.40.0-new-registry.gif
+++ b/.gitbook/assets/2.40.0-new-registry.gif
--- a/admin/environments/policies/kubernetes-policies/kubernetes-registry-policy.md
+++ b/admin/environments/policies/kubernetes-policies/kubernetes-registry-policy.md
@@ -15,6 +15,10 @@ To create a Kubernetes registry policy, in the menu, under **Environment-related
 Currently, only custom registry policies can be created. Future improvements to the policies feature will introduce policy templates.
 {% endhint %}

+{% hint style="info" %}
+When registry access is added to a namespace, Portainer creates a registry secret and adds it to the default [Service Account](../../../../user/kubernetes/more-resources/service-accounts.md) as an imagePullSecret, allowing Pods in the namespace to pull images from the private registry automatically. When registry access is removed, Portainer deletes the registry secret and removes it from the default Service Account while retaining any other existing imagePullSecrets.
+{% endhint %}
+
 | Field/Option       | Overview                                                                                                                                                                                                                             |
 | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
 | Name               | Define a name for this policy.                                                                                                                                                                                                       |
--- a/user/kubernetes/cluster/registries.md
+++ b/user/kubernetes/cluster/registries.md
@@ -21,7 +21,7 @@ This view lets you manage access to each of the registries that are currently av

 From the menu expand **Cluster**, select **Registries** then click **Add registry**. When the global registries page appears, follow [these instructions](../../../admin/registries/add/).

-<figure><img src="../../../.gitbook/assets/2.15-k8s-cluster-registries-add.gif" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/2.40.0-new-registry.gif" alt=""><figcaption></figcaption></figure>

 ## Managing access

@@ -31,14 +31,16 @@ If access to a registry is being managed by a Kubernetes registry [policy](../..

 To configure access to a registry, from the menu expand **Cluster** then select **Registries**.

-<figure><img src="../../../.gitbook/assets/2.15-k8s-cluster-registries.gif" alt=""><figcaption></figcaption></figure>
-
 Find the registry you want to manage then select **Manage access**.&#x20;

 <figure><img src="../../../.gitbook/assets/2.15-k8s-cluster-registries-manage.png" alt=""><figcaption></figcaption></figure>

 From the dropdown, select the namespaces that you would like to have access, then click **Create access**.

+{% hint style="info" %}
+When registry access is added to a namespace, Portainer creates a registry secret and adds it to the default [Service Account](../more-resources/service-accounts.md) as an imagePullSecret, allowing Pods in the namespace to pull images from the private registry automatically. When registry access is removed, Portainer deletes the registry secret and removes it from the default Service Account while retaining any other existing imagePullSecrets.
+{% endhint %}
+
 <figure><img src="../../../.gitbook/assets/2.15-k8s-cluster-registries-createaccess.png" alt=""><figcaption></figcaption></figure>

 You can see a list of the namespaces that have access to the registry or remove a namespace's access to the registry in the **Access** section.
--- a/user/kubernetes/more-resources/service-accounts.md
+++ b/user/kubernetes/more-resources/service-accounts.md
@@ -17,8 +17,14 @@ This section lists the Service Accounts on your Kubernetes cluster. The list can
 Editing of Service Account details is disabled for resources in namespaces [marked as system](../namespaces/manage.md#actions).&#x20;
 {% endhint %}

+{% hint style="info" %}
+When [registry access is added to a namespace](../cluster/registries.md#managing-access), Portainer creates a registry secret and adds it to the default Service Account as an imagePullSecret, allowing Pods in the namespace to pull images from the private registry automatically. When registry access is removed, Portainer deletes the registry secret and removes it from the default Service Account while retaining any other existing imagePullSecrets.
+{% endhint %}
+
 You can view the details of a Service Account by clicking its name from the Service Account list.

-The **Service account** tab displays read-only details for the selected account. To modify the resource, switch to the **YAML** tab where you can edit the manifest directly. Once you have made your changes, click **Apply changes** in the bottom right.
+The **Service account** tab displays details for the selected account.&#x20;

-<figure><img src="../../../.gitbook/assets/2.40.0-service-account-details.png" alt=""><figcaption></figcaption></figure>
+To modify the resource, switch to the **YAML** tab where you can edit the manifest directly. Once you have made your changes, click **Apply changes**.
+
+<figure><img src="../../../.gitbook/assets/2.40-service-account-details.png" alt=""><figcaption></figcaption></figure>
--- a/whats-new.md
+++ b/whats-new.md
@@ -36,3 +36,10 @@ By combining visual identification with enforced confirmation, this policy helps

 <figure><img src=".gitbook/assets/2.40-warning-confirmation-box.png" alt="" width="364"><figcaption></figcaption></figure>

+
+
+### Default Service Account imagePullSecret management  ![](.gitbook/assets/button_be.png) ![](.gitbook/assets/button_ce.png)
+
+Portainer now automatically updates the default [Service Account](user/kubernetes/more-resources/service-accounts.md) in a namespace when registry access is added or removed as part of a [registry policy](admin/environments/policies/kubernetes-policies/kubernetes-registry-policy.md) (BE only) or from the [Registries view](user/kubernetes/cluster/registries.md#managing-access). When access is granted, the registry secret is added as an imagePullSecret to the default Service Account, allowing Pods in the namespace to pull images from the private registry automatically. When access is removed, the secret is removed from the default Service Account while any other existing imagePullSecrets are retained. This change is accompanied by an improved Service account details view, which allows you to view Service Account details and edit the YAML.
+
+<figure><img src=".gitbook/assets/2.40-service-account-details.png" alt=""><figcaption></figcaption></figure>