DEV Community

Cover image for Kubernetes kubeconfig scoped to a namespace

Posted on

Kubernetes kubeconfig scoped to a namespace

This article is meant to be a guide in setting up a multi-user namespace scoped kubernetes cluster.

Kubernetes, also known as K8s, is an open-source system for automating deployment, scaling, and management of containerized applications.

While kubernetes does not have a notion of users, it has what are called service accounts. These are accounts which define the scope of the role(s) or operations which can be performed on different kubernetes resources. A service account provides an identity for processes that run in a Pod.

Before you can access the kubernetes API Service, a service account with the necessary roles is required.
This article assumes that you already have a roles and namespaces already set. You can ignore the namespace if you don't want to scope the service account to a namespace.

To create a service account,

apiVersion: v1
kind: ServiceAccount
  namespace: devspace
  name: arthur
Enter fullscreen mode Exit fullscreen mode

Aside from the above, you also need to create a secret before getting the token to use with your service accounts as follows:

kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
  namespace: devspace
  name: auth-secret
  annotations: arthur
Enter fullscreen mode Exit fullscreen mode

With the service and tokens created, we can proceed to creating a kubeconfig file, (used to authenticate operations sent to the API service).

The kubeconfig file is a yaml file that can be created by replacing the bash file below with your own values.
Create a bash script file and give a name, e.g, make it executable

chmod +x ./
Enter fullscreen mode Exit fullscreen mode

and finally add the content below to the file. Make any changes to suit your needs.

#!/usr/bin/env sh

# The script returns a kubeconfig for the ServiceAccount given
# you need to have kubectl on PATH with the context set to the cluster you want to create the config for

# Cosmetics for the created config
# your server address goes here get it via `kubectl cluster-info`
# the Namespace and ServiceAccount name that is used for the config

# The following automation does not work from Kubernetes 1.24 and up.
# You need to
# define a Secret, reference the ServiceAccount there and set the secretName as described in the [article](!
# See for details
#secretName=$(kubectl --namespace="$namespace" get serviceAccount "$serviceAccount" -o=jsonpath='{.secrets[0].name}')

# For kubernetes v1.24 and above, use:

# actual script starts
set -o errexit

ca=$(kubectl --namespace="$namespace" get secret/"$secretName" -o=jsonpath='{\.crt}')
token=$(kubectl --namespace="$namespace" get secret/"$secretName" -o=jsonpath='{.data.token}' | base64 --decode)

echo "
apiVersion: v1
kind: Config
  - name: ${clusterName}
      certificate-authority-data: ${ca}
      server: ${server}
  - name: ${serviceAccount}@${clusterName}
      cluster: ${clusterName}
      namespace: ${namespace}
      user: ${serviceAccount}
  - name: ${serviceAccount}
      token: ${token}
current-context: ${serviceAccount}@${clusterName}
Enter fullscreen mode Exit fullscreen mode

To create the actual kubeconfig file, you need to execute the created bash script and pipe the result to a yaml file.

./ >> kubeconfig
Enter fullscreen mode Exit fullscreen mode

This creates a file kubeconfig that can be used for authenticating with your kubernetes cluster.

Top comments (0)