This article is meant to be a guide in setting up a multi-user namespace scoped kubernetes cluster.
Kubernetes, also known as K8s, is an open-source system for automating deployment, scaling, and management of containerized applications.
While kubernetes does not have a notion of users, it has what are called service accounts. These are accounts which define the scope of the role(s) or operations which can be performed on different kubernetes resources. A service account provides an identity for processes that run in a Pod.
Before you can access the kubernetes API Service, a service account with the necessary roles is required.
This article assumes that you already have a roles and namespaces already set. You can ignore the namespace if you don't want to scope the service account to a namespace.
To create a service account,
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: devspace
name: arthur
Aside from the above, you also need to create a secret before getting the token to use with your service accounts as follows:
kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
namespace: devspace
name: auth-secret
annotations:
kubernetes.io/service-account.name: arthur
type: kubernetes.io/service-account-token
EOF
With the service and tokens created, we can proceed to creating a kubeconfig file, (used to authenticate operations sent to the API service).
The kubeconfig file is a yaml file that can be created by replacing the bash file below with your own values.
Create a bash script file and give a name, e.g kubeconfig.sh, make it executable
chmod +x ./kubeconfig.sh
and finally add the content below to the file. Make any changes to suit your needs.
#!/usr/bin/env sh
# The script returns a kubeconfig for the ServiceAccount given
# you need to have kubectl on PATH with the context set to the cluster you want to create the config for
# Cosmetics for the created config
clusterName='SwiftCloudCluster'
# your server address goes here get it via `kubectl cluster-info`
server='https://kube-master:6443'
# the Namespace and ServiceAccount name that is used for the config
namespace='devspace'
serviceAccount='arthur'
# The following automation does not work from Kubernetes 1.24 and up.
# You need to
# define a Secret, reference the ServiceAccount there and set the secretName as described in the [article](dev.to/arthurkay)!
# See https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#manually-create-a-long-lived-api-token-for-a-serviceaccount for details
#secretName=$(kubectl --namespace="$namespace" get serviceAccount "$serviceAccount" -o=jsonpath='{.secrets[0].name}')
# For kubernetes v1.24 and above, use:
secretName="arthur-secret"
######################
# actual script starts
set -o errexit
ca=$(kubectl --namespace="$namespace" get secret/"$secretName" -o=jsonpath='{.data.ca\.crt}')
token=$(kubectl --namespace="$namespace" get secret/"$secretName" -o=jsonpath='{.data.token}' | base64 --decode)
echo "
---
apiVersion: v1
kind: Config
clusters:
- name: ${clusterName}
cluster:
certificate-authority-data: ${ca}
server: ${server}
contexts:
- name: ${serviceAccount}@${clusterName}
context:
cluster: ${clusterName}
namespace: ${namespace}
user: ${serviceAccount}
users:
- name: ${serviceAccount}
user:
token: ${token}
current-context: ${serviceAccount}@${clusterName}
"
To create the actual kubeconfig file, you need to execute the created bash script and pipe the result to a yaml file.
./kubeconfig.sh >> kubeconfig
This creates a file kubeconfig that can be used for authenticating with your kubernetes cluster.
Top comments (0)