Generating Service Accounts and Kubeconfigs

This page provide a short example for creating Kubernetes based service accounts.

Different Types of Kubernetes Access

Kubernetes clusters support the creation of service accounts, each of which should have a limited set of permissions (which is defined as a role) applied to it - ensuring the service account only has enough permissions to perform the desired tasks on the cluster.

Many cloud provides offer advanced methods for managing RBAC in their managed Kubernetes platforms. Additionally, Kubernetes platform engineering teams often have methods and procedures for provisioning service accounts. Both must be taken into consideration prior to manually creating any service account for your cluster.

This guide provides the steps necessary to manually create a service account in a Kubernetes cluster - however, the following links may prove useful if your Kubernetes cluster leverages cloud provider based IAM.

• Create IAM policies (GKE)

This document does not provide an in-depth explanation of Kubernetes service accounts. For more details please review the Kubernetes documentation.

Service Account Creation

The following steps are required to complete this task:

• Login, make sure you are on your desired context
• Set some initial variables
• Create the Service Account, Token, and Roles/ClusterRole Bindings

It’s important to determine whether the Service Account will only have access to the resources in a specific Kubernetes namespace (Namespace Scoped), or whether it will have access to entire cluster level resources and multiple namespaces (Cluster Scoped).

All content between square brackets [] must be customized for your environment.

1. Login how you normally would, but make sure you’re on the desired kubeconfig context:

kubectl config use-context [my-context]

2. Set the initial variables:

# Set the context variable
export contextName=$(kubectl config current-context)

# Set the name of the cluster as you want it show up in the kubeconfig
export clusterName=[my-awesome-cluster]

# Set the namespace where you would like the service account to be created
# The namespace must already exist
export namespace=[my-awesome-namespace]

# Set the service account name
export serviceAccount=[my-sa]

# Set a filename for the new kubeconfig
export newFile=[my-sa.kubeconfig]

3. Create the Service Account and Token Secret

kubectl apply -f << EOF -
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ${serviceAccount}
  namespace: ${namespace}
---
apiVersion: v1
kind: Secret
metadata:
  name: ${serviceAccount}-token
  namespace: ${namespace}
  annotations:
    kubernetes.io/service-account.name: ${serviceAccount}
type: kubernetes.io/service-account-token
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ${serviceAccount}-crb
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view
subjects:
  - kind: ServiceAccount
    name: ${serviceAccount}
    namespace: ${namespace}
EOF

Kubeconfig Creation

This next step builds on the previous one to generate the kubeconfig from the recently created Service Account:

1. Generate the kubeconfig

server=$(kubectl config view --minify --raw -o jsonpath='{.clusters[].cluster.server}' | sed 's/\"//')
ca=$(kubectl --namespace $namespace get secret/${serviceAccount}-token -o jsonpath='{.data.ca\.crt}')
token=$(kubectl --namespace $namespace get secret/${serviceAccount}-token -o jsonpath='{.data.token}' | base64 --decode)
echo "
---
apiVersion: v1
kind: Config
clusters:
  - name: ${clusterName}
    cluster:
      certificate-authority-data: ${ca}
      server: ${server}
contexts:
  - name: ${contextName}
    context:
      cluster: ${clusterName}
      namespace: ${namespace}
      user: ${serviceAccount}
users:
  - name: ${serviceAccount}
    user:
      token: ${token}
current-context: ${contextName}
" >> ${newFile}

2. Test it out:

KUBECONFIG=${newFile} kubectl get pods

Customizing Roles

The examples above provided fairly basic roles. Additional roles can be created and bound as needed. The following examples may prove helpful:

kubectl apply -f << EOF -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ${serviceAccount}-advanced-view
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods", "pods/log", "events", "configmaps", "services", "replicationcontrollers"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["batch"]
  resources: ["*"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["apps"]
  resources: ["*"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["autoscaling"]
  resources: ["*"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["metrics.k8s.io"]
  resources: ["*"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["apiextensions.k8s.io"]
  resources: ["customresourcedefinitions"]
  verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ${serviceAccount}-advanced-crb
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ${serviceAccount}-advanced-view
subjects:
  - kind: ServiceAccount
    name: ${serviceAccount}
    namespace: ${namespace}
EOF

Did you find your way here from the RunWhen Local docs? Jump back

Resources

The following resources may prove useful when digging further into Kubernetes RBAC topics:

• https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/
• https://veducate.co.uk/creating-a-kubeconfig-file-for-a-kubernetes-service-account/
• https://www.strongdm.com/blog/kubernetes-rbac-role-based-access-control
• https://stackoverflow.com/questions/47770676/how-to-create-a-kubectl-config-file-for-serviceaccount