Skip to main content
Skip table of contents

Generating Service Accounts and Kubeconfigs

This page provide a short example for creating Kubernetes based service accounts.

Different Types of Kubernetes Access

Kubernetes clusters support the creation of service accounts, each of which should have a limited set of permissions (which is defined as a role) applied to it - ensuring the service account only has enough permissions to perform the desired tasks on the cluster.

Many cloud provides offer advanced methods for managing RBAC in their managed Kubernetes platforms. Additionally, Kubernetes platform engineering teams often have methods and procedures for provisioning service accounts. Both must be taken into consideration prior to manually creating any service account for your cluster.

This guide provides the steps necessary to manually create a service account in a Kubernetes cluster - however, the following links may prove useful if your Kubernetes cluster leverages cloud provider based IAM.

Google Cloud Platform (GKE)Amazon Web Services (EKS)Microsoft Azure (AKS)

This document does not provide an in-depth explaination of Kubernetes service accounts. For more details please review the Kubernetes documentation.

Service Account Creation

The following steps are required to complete this task:

  • Login, make sure you are on your desired context

  • Set some initial variables

  • Create the Service Account, Token, and Roles/ClusterRole Bindings

It's important to determine whether the Service Account will only have access to the resources in a specific Kubernetes namespace (Namespace Scoped), or whether it will have access to entire cluster level resources and multiple namespaces (Cluster Scoped).

All content between square brackets [] must be customized for your environment.

  1. Login how you normally would, but make sure you're on the desired kubeconfig context:

Copy

CODE
kubectl config use-context [my-context]
  1. Set the initial variables:

Copy

CODE
# Set the contextvariable
export contextName=$(kubectl config current-context)

# Set the name of the cluster as you want it show up in the kubeconfig
export clusterName=[my-awesome-cluster]

# Set the namespace where you would like the service account to be created
# The namespace must already exist
export namespace=[my-awesome-namespace]

# Set the service account name
export serviceAccount=[my-sa]

# Set a filename for the new kubeconfig
export newFile=[my-sa.kubeconfig]
  1. Create the Service Account and Token Secret

Cluster Scoped Service AccountNamespace Scoped Service Account

Copy

CODE
kubectl apply -f << EOF -
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ${serviceAccount}
  namespace: ${namespace}
--- 
apiVersion: v1
kind: Secret
metadata:
  name: ${serviceAccount}-token
  namespace: ${namespace}
  annotations:
    kubernetes.io/service-account.name: ${serviceAccount}
type: kubernetes.io/service-account-token
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ${serviceAccount}-crb
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view
subjects:
  - kind: ServiceAccount
    name: ${serviceAccount}
    namespace: ${namespace}
EOF

Kubeconfig Creation

This next step builds on the previous one to generate the kubeconfig from the recently created Service Account:

  1. Generate the kubeconfig

Copy

CODE
server=$(kubectl config view --minify --raw -o jsonpath='{.clusters[].cluster.server}' | sed 's/"//')
ca=$(kubectl --namespace $namespace get secret/${serviceAccount}-token -o jsonpath='{.data.ca\.crt}')
token=$(kubectl --namespace $namespace get secret/${serviceAccount}-token -o jsonpath='{.data.token}' | base64 --decode)
echo "
---
apiVersion: v1
kind: Config
clusters:
  - name: ${clusterName}
    cluster:
      certificate-authority-data: ${ca}
      server: ${server}
contexts:
  - name: ${contextName}
    context:
      cluster: ${clusterName}
      namespace: ${namespace}
      user: ${serviceAccount}
users:
  - name: ${serviceAccount}
    user:
      token: ${token}
current-context: ${contextName}
" >> ${newFile}
  1. Test it out:

Copy

CODE
KUBECONFIG=${newFile} kubectl get pods

Customizing Roles

The examples above provided fairly basic roles. Additional roles can be created and bound as needed. The following examples may prove helpful:

Cluster Scoped Advanced Viewer RoleNamespace Scoped Advanced Viewer Role

Copy

CODE
kubectl apply -f << EOF -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ${serviceAccount}-advanced-view
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods", "pods/log", "events", "configmaps", "services", "replicationcontrollers"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["batch"]
  resources: ["*"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["apps"]
  resources: ["*"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["autoscaling"]
  resources: ["*"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["metrics.k8s.io"]
  resources: ["*"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["apiextensions.k8s.io"]
  resources: ["customresourcedefinitions"]
  verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ${serviceAccount}-advanced-crb
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ${serviceAccount}-advanced-view
subjects:
  - kind: ServiceAccount
    name: ${serviceAccount}
    namespace: ${namespace}
EOF

Did you find your way here from the RunWhen Local docs? Jump back

Resources

The following resources may prove useful when digging further into Kubernetes RBAC topics:

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.