k8s‐service‐account - robjcook/sync GitHub Wiki

To grant a service account access to multiple namespaces, you'll need to create a ClusterRole with the necessary permissions and then bind it to the service account using a ClusterRoleBinding. This allows the service account to have the same permissions across all specified namespaces. Here's how you can do it:

  1. Create a Service Account:
apiVersion: v1
kind: ServiceAccount
metadata:
  name: deployer
  namespace: default
  1. Create a ClusterRole:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: deployer-clusterrole
rules:
- apiGroups: ["", "apps", "extensions"]
  resources: ["deployments", "pods", "services"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  1. Create a ClusterRoleBinding:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: deployer-clusterrolebinding
subjects:
- kind: ServiceAccount
  name: deployer
  namespace: default
roleRef:
  kind: ClusterRole
  name: deployer-clusterrole
  apiGroup: rbac.authorization.k8s.io
  1. Apply the YAML files:

Save the above YAML snippets into separate files, e.g., service-account.yaml, clusterrole.yaml, and clusterrolebinding.yaml. Then apply them using kubectl:

kubectl apply -f service-account.yaml
kubectl apply -f clusterrole.yaml
kubectl apply -f clusterrolebinding.yaml

This setup will create a service account named deployer in the default namespace with a ClusterRole that has permissions to manage deployments, pods, and services across all namespaces. The ClusterRoleBinding ensures that the service account is bound to the ClusterRole, allowing it to perform the specified actions across the entire cluster.

To generate an associated secret for the service account and configure it for external use, you can follow these steps:

  1. Create the Service Account, ClusterRole, and ClusterRoleBinding:

If you haven't already created the service account and associated roles, follow the steps provided in the previous messages.

  1. Retrieve the Service Account Token:

Create a secret for the service account which will contain the token used for authentication.

kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: deployer-secret
  namespace: default
  annotations:
    kubernetes.io/service-account.name: deployer
type: kubernetes.io/service-account-token
EOF

After applying this, the secret will be created with the service account token.

  1. Retrieve the Secret:

Get the secret associated with the service account to use it for external access.

kubectl get secret deployer-secret -o jsonpath='{.data.token}' | base64 --decode

Store the token in a safe place; you'll need it to authenticate.

  1. Retrieve the CA Certificate:

Get the CA certificate from your Kubernetes cluster. This is necessary for external clients to validate the Kubernetes API server's certificate.

kubectl get secret deployer-secret -o jsonpath='{.data.ca\.crt}' | base64 --decode > ca.crt
  1. Retrieve the Kubernetes API Server URL:

Get the Kubernetes API server URL, which you will need to connect to the cluster from outside.

kubectl cluster-info | grep 'Kubernetes master' | awk '/http/ {print $NF}'
  1. Configure kubectl for External Use:

Create a kubeconfig file that external tools can use to interact with the Kubernetes cluster.

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: <base64 encoded CA certificate>
    server: https://<kubernetes-api-server-url>
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: deployer
  name: deployer-context
current-context: deployer-context
kind: Config
preferences: {}
users:
- name: deployer
  user:
    token: <service-account-token>

Replace <base64 encoded CA certificate>, <kubernetes-api-server-url>, and <service-account-token> with the actual values obtained in the previous steps.

  1. Save the Configuration:

Save the above configuration into a file named kubeconfig.

  1. Use the kubeconfig File:

You can now use this kubeconfig file to interact with your Kubernetes cluster from an external environment.

KUBECONFIG=kubeconfig kubectl get pods

By following these steps, you will have created a service account, associated it with the necessary permissions, generated a secret containing the authentication token, and configured an external kubeconfig to use that service account for accessing the Kubernetes cluster.