Kubernetes kubeconfig scoped to a namespace
Arthur
Posted on April 9, 2023
This article is meant to be a guide in setting up a multi-user namespace scoped kubernetes cluster.
Kubernetes, also known as K8s, is an open-source system for automating deployment, scaling, and management of containerized applications.
While kubernetes does not have a notion of users, it has what are called service accounts. These are accounts which define the scope of the role(s) or operations which can be performed on different kubernetes resources. A service account provides an identity for processes that run in a Pod.
Before you can access the kubernetes API Service, a service account with the necessary roles is required.
This article assumes that you already have a roles and namespaces already set. You can ignore the namespace if you don't want to scope the service account to a namespace.
To create a service account,
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: devspace
name: arthur
Aside from the above, you also need to create a secret before getting the token to use with your service accounts as follows:
kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
namespace: devspace
name: auth-secret
annotations:
kubernetes.io/service-account.name: arthur
type: kubernetes.io/service-account-token
EOF
With the service and tokens created, we can proceed to creating a kubeconfig file, (used to authenticate operations sent to the API service).
The kubeconfig file is a yaml file that can be created by replacing the bash file below with your own values.
Create a bash script file and give a name, e.g kubeconfig.sh, make it executable
chmod +x ./kubeconfig.sh
and finally add the content below to the file. Make any changes to suit your needs.
#!/usr/bin/env sh
# The script returns a kubeconfig for the ServiceAccount given
# you need to have kubectl on PATH with the context set to the cluster you want to create the config for
# Cosmetics for the created config
clusterName='SwiftCloudCluster'
# your server address goes here get it via `kubectl cluster-info`
server='https://kube-master:6443'
# the Namespace and ServiceAccount name that is used for the config
namespace='devspace'
serviceAccount='arthur'
# The following automation does not work from Kubernetes 1.24 and up.
# You need to
# define a Secret, reference the ServiceAccount there and set the secretName as described in the [article](dev.to/arthurkay)!
# See https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#manually-create-a-long-lived-api-token-for-a-serviceaccount for details
#secretName=$(kubectl --namespace="$namespace" get serviceAccount "$serviceAccount" -o=jsonpath='{.secrets[0].name}')
# For kubernetes v1.24 and above, use:
secretName="arthur-secret"
######################
# actual script starts
set -o errexit
ca=$(kubectl --namespace="$namespace" get secret/"$secretName" -o=jsonpath='{.data.ca\.crt}')
token=$(kubectl --namespace="$namespace" get secret/"$secretName" -o=jsonpath='{.data.token}' | base64 --decode)
echo "
---
apiVersion: v1
kind: Config
clusters:
- name: ${clusterName}
cluster:
certificate-authority-data: ${ca}
server: ${server}
contexts:
- name: ${serviceAccount}@${clusterName}
context:
cluster: ${clusterName}
namespace: ${namespace}
user: ${serviceAccount}
users:
- name: ${serviceAccount}
user:
token: ${token}
current-context: ${serviceAccount}@${clusterName}
"
To create the actual kubeconfig file, you need to execute the created bash script and pipe the result to a yaml file.
./kubeconfig.sh >> kubeconfig
This creates a file kubeconfig that can be used for authenticating with your kubernetes cluster.
Posted on April 9, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
November 29, 2024
