How to create a service account and kubeconfig

Posted on Views:
在 Kubernetes 中建立 service account 和 kubeconfig

Create a service account

Command line

  1. create a service account called dev in app namespace

    1
    kubectl -n app create sa dev

  2. create a cluster role binding bind dev service account and cluster-admin cluster role

    1
    2
    3
    kubectl create clusterrolebinding app-cluster-admin \
      --clusterrole=cluster-admin \
      --serviceaccount=app:dev

  3. get secret of dev service account

    1
    2
    3
    4
    5
    # get token name
    TOKENNAME=`kubectl -n app get serviceaccount/dev -o jsonpath='{.secrets[0].name}'`

    # get token
    TOKEN=`kubectl -n app get secret $TOKENNAME -o jsonpath='{.data.token}'| base64 --decode`

Yaml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: dev

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: dev
rules:
- apiGroups: ["", "extensions"]
  resources: ["pods", "configmap", "services", "ingresses"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["events"]
  verbs: ["watch"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get"]

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: dev
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: dev
subjects:
- kind: ServiceAccount
  name: dev

Generate a kubeconfig of service account

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
#!/bin/bash

# check flag exist
if [[ -z "$1" ]]; then
  echo "usage: $0 <namespace> <sa>"
  exit 1
fi

if [[ -z "$2" ]]; then
  echo "usage: $0 $1 <sa>"
  exit 1
fi

# create temp dir
temp_dir=$(mktemp -d)
trap "{ rm -rf $temp_dir ; exit 255; }" EXIT

# set variables
## set namespace from arguments
ns=$1

## set service account from arguments
sa=$2

## set kubeconfig filename
config_path="$2.conf"

# get information
## get sa token name
sa_token_name=$(kubectl -n "$ns" get sa "$sa" -o jsonpath='{.secrets[0].name}')

## get sa token value
sa_token=$(kubectl get secrets -n "$ns" "$sa_token_name" -o jsonpath='{.data.token}' | base64 -d)

## get current context ca.crt
kubectl get secrets -n "$ns" "$sa_token_name" -o jsonpath='{.data.ca\.crt}' | base64 -d >"$temp_dir"/ca.crt

## get cluster name
current_context=$(kubectl config current-context)
cluster_name=$(kubectl config get-contexts "$current_context" | awk '{print $3}' | tail -n 1)

## get cluster url
cluster_url=$(kubectl config view -o jsonpath="{.clusters[?(@.name == \"${cluster_name}\")].cluster.server}")

# creatje kubeconfig
kubectl config --kubeconfig="$config_path" \
  set-cluster "$cluster_name" \
  --server="$cluster_url" \
  --certificate-authority="$temp_dir/ca.crt" \
  --embed-certs=true

kubectl config --kubeconfig="$config_path" \
  set-credentials "$sa" \
  --token="$sa_token"

kubectl config --kubeconfig="$config_path" \
  --user="$sa" \
  --namespace="$ns" \
  --cluster="$cluster_name" \
  set-context "$sa-ctx"

kubectl config --kubeconfig="$config_path" \
  use-context "$sa-ctx"

# finish
echo "kubeconfig written to $config_path"

可以搭配 merge multiple configs 使用

Test kubeconfig

1
kubectl --kubeconfig=dev.conf cluster-info