GameServer Pod Service Accounts
By default, Agones sets up service accounts and sets them appropriately for the
Pods that are created for
Since Agones provides
Pods with a sidecar container that needs access to Agones Custom Resource Definitions,
Pods are configured with a service account with extra RBAC permissions to ensure that it can read and modify the resources it needs.
Since service accounts apply to all containers in a
Pod, Agones will automatically overwrite the mounted key for the
service account in the container that is running the dedicated game server in the backing
Pod. This is done
since game server containers are exposed publicly, and generally don’t require the extra permissions to access aspects
of the Kubernetes API.
Bringing your own Service Account
If needed, you can provide your own service account on the
Pod specification in the
If you bring your own Service Account, it’s your responsibility to ensure it matches all the RBAC permissions
Pod usually acquires from Agones by default, otherwise
GameServers can fail.
The default RBAC permissions for can be found in the installation YAML on GitHub and can be used for a reference.
- name: default
serviceAccountName: my-special-service-account # a custom service account
- name: simple-game-server
If a service account is configured, the mounted key is not overwritten, as it assumed that you want to have full control of the service account and underlying RBAC permissions.
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
Last modified February 20, 2024: Document `Distributed` pod scheduling. (#3662) (24e7f83)