How to create a Kubernetes service account
Use this procedure to create a kubeconfig file for a Kubernetes service account.
-
Log in to the master node or set your context to the target cluster.
Setting the context varies by cloud provider. Please refer to their documentation.
-
Copy and paste the following commands to create a service account named
zenoss-app, if necessary.kubectl get serviceaccount zenoss-app 2>/dev/null || kubectl apply -f- <<EOF apiVersion: v1 kind: ServiceAccount metadata: name: zenoss-app namespace: default EOF -
Copy and paste the following commands to create a cluster role named
zenoss-clusterrole, if necessary.kubectl get clusterrole zenoss-clusterrole 2>/dev/null || kubectl apply -f- <<EOF apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: # "namespace" omitted since ClusterRoles are not namespaced name: zenoss-clusterrole rules: - apiGroups: - "" resources: - nodes - pods - services - namespaces - persistentvolumeclaims - persistentvolumes verbs: - list - watch - get - apiGroups: - apps resources: - statefulsets - deployments verbs: - list - watch - get - apiGroups: - events.k8s.io resources: - events verbs: - list - watch - get - apiGroups: - metrics.k8s.io resources: - nodes - pods verbs: - list - watch - get EOF -
Copy and paste the following commands to create the cluster role binding named
zenoss-app-service-account-binding, if necessary.kubectl get clusterrolebinding cluster-role-binding-zapp 2>/dev/null || kubectl apply -f- <<EOF apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-role-binding-zapp namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: zenoss-clusterrole subjects: - kind: ServiceAccount name: zenoss-app namespace: default EOF -
Copy the following Bash script and paste it into a file named
create_sa_kubeconfig.sh.create_sa_kubeconfig.shSERVICE_ACCOUNT_NAME=zenoss-app CONTEXT=$(kubectl config current-context) NAMESPACE=default NEW_CONTEXT=default KUBECONFIG_FILE="kubeconfig-serviceaccount" SECRET_NAME=$(kubectl get serviceaccount ${SERVICE_ACCOUNT_NAME} \ --context "${CONTEXT}" \ --namespace ${NAMESPACE} \ -o jsonpath='{.secrets[0].name}') TOKEN_DATA=$(kubectl get secret "${SECRET_NAME}" \ --context "${CONTEXT}" \ --namespace ${NAMESPACE} \ -o jsonpath='{.data.token}') TOKEN=$(echo "${TOKEN_DATA}" | base64 -d) # Create dedicated kubeconfig # Create a full copy kubectl config view --raw > ${KUBECONFIG_FILE}.full.tmp # Switch working context to correct context kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp config use-context "${CONTEXT}" # Minify kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp \ config view --flatten --minify > ${KUBECONFIG_FILE}.tmp # Rename context kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \ rename-context "${CONTEXT}" ${NEW_CONTEXT} # Create token user kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \ set-credentials "${CONTEXT}"-${NAMESPACE}-token-user \ --token "${TOKEN}" # Set context to use token user kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \ set-context ${NEW_CONTEXT} --user "${CONTEXT}"-${NAMESPACE}-token-user # Set context to correct namespace kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \ set-context ${NEW_CONTEXT} --namespace ${NAMESPACE} # Flatten/minify kubeconfig kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \ view --flatten --minify > ${KUBECONFIG_FILE} # Remove tmp rm ${KUBECONFIG_FILE}.full.tmp rm ${KUBECONFIG_FILE}.tmp -
Start the script.
bash ./create_sa_kubeconfig.sh -
Use the resulting
kubeconfig-serviceaccount.yamlfile to create a Kubernetes credential.