Generating Service Accounts and Kubeconfigs
This page provide a short example for creating Kubernetes based service accounts.
Different Types of Kubernetes Access
Kubernetes clusters support the creation of service accounts, each of which should have a limited set of permissions (which is defined as a role) applied to it - ensuring the service account only has enough permissions to perform the desired tasks on the cluster.
Many cloud provides offer advanced methods for managing RBAC in their managed Kubernetes platforms. Additionally, Kubernetes platform engineering teams often have methods and procedures for provisioning service accounts. Both must be taken into consideration prior to manually creating any service account for your cluster.
This guide provides the steps necessary to manually create a service account in a Kubernetes cluster - however, the following links may prove useful if your Kubernetes cluster leverages cloud provider based IAM.
Google Cloud Platform (GKE)Amazon Web Services (EKS)Microsoft Azure (AKS)
This document does not provide an in-depth explaination of Kubernetes service accounts. For more details please review the Kubernetes documentation.
Service Account Creation
The following steps are required to complete this task:
Login, make sure you are on your desired context
Set some initial variables
Create the Service Account, Token, and Roles/ClusterRole Bindings
It's important to determine whether the Service Account will only have access to the resources in a specific Kubernetes namespace (Namespace Scoped), or whether it will have access to entire cluster level resources and multiple namespaces (Cluster Scoped).
All content between square brackets []
must be customized for your environment.
Login how you normally would, but make sure you're on the desired kubeconfig context:
Copy
kubectl config use-context [my-context]
Set the initial variables:
Copy
# Set the contextvariable
export contextName=$(kubectl config current-context)
# Set the name of the cluster as you want it show up in the kubeconfig
export clusterName=[my-awesome-cluster]
# Set the namespace where you would like the service account to be created
# The namespace must already exist
export namespace=[my-awesome-namespace]
# Set the service account name
export serviceAccount=[my-sa]
# Set a filename for the new kubeconfig
export newFile=[my-sa.kubeconfig]
Create the Service Account and Token Secret
Cluster Scoped Service AccountNamespace Scoped Service Account
Copy
kubectl apply -f << EOF -
apiVersion: v1
kind: ServiceAccount
metadata:
name: ${serviceAccount}
namespace: ${namespace}
---
apiVersion: v1
kind: Secret
metadata:
name: ${serviceAccount}-token
namespace: ${namespace}
annotations:
kubernetes.io/service-account.name: ${serviceAccount}
type: kubernetes.io/service-account-token
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ${serviceAccount}-crb
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
subjects:
- kind: ServiceAccount
name: ${serviceAccount}
namespace: ${namespace}
EOF
Kubeconfig Creation
This next step builds on the previous one to generate the kubeconfig from the recently created Service Account:
Generate the kubeconfig
Copy
server=$(kubectl config view --minify --raw -o jsonpath='{.clusters[].cluster.server}' | sed 's/"//')
ca=$(kubectl --namespace $namespace get secret/${serviceAccount}-token -o jsonpath='{.data.ca\.crt}')
token=$(kubectl --namespace $namespace get secret/${serviceAccount}-token -o jsonpath='{.data.token}' | base64 --decode)
echo "
---
apiVersion: v1
kind: Config
clusters:
- name: ${clusterName}
cluster:
certificate-authority-data: ${ca}
server: ${server}
contexts:
- name: ${contextName}
context:
cluster: ${clusterName}
namespace: ${namespace}
user: ${serviceAccount}
users:
- name: ${serviceAccount}
user:
token: ${token}
current-context: ${contextName}
" >> ${newFile}
Test it out:
Copy
KUBECONFIG=${newFile} kubectl get pods
Customizing Roles
The examples above provided fairly basic roles. Additional roles can be created and bound as needed. The following examples may prove helpful:
Cluster Scoped Advanced Viewer RoleNamespace Scoped Advanced Viewer Role
Copy
kubectl apply -f << EOF -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ${serviceAccount}-advanced-view
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods", "pods/log", "events", "configmaps", "services", "replicationcontrollers"]
verbs: ["get", "watch", "list"]
- apiGroups: ["batch"]
resources: ["*"]
verbs: ["get", "watch", "list"]
- apiGroups: ["apps"]
resources: ["*"]
verbs: ["get", "watch", "list"]
- apiGroups: ["autoscaling"]
resources: ["*"]
verbs: ["get", "watch", "list"]
- apiGroups: ["metrics.k8s.io"]
resources: ["*"]
verbs: ["get", "watch", "list"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ${serviceAccount}-advanced-crb
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ${serviceAccount}-advanced-view
subjects:
- kind: ServiceAccount
name: ${serviceAccount}
namespace: ${namespace}
EOF
Did you find your way here from the RunWhen Local docs? Jump back
Resources
The following resources may prove useful when digging further into Kubernetes RBAC topics:
https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/
https://veducate.co.uk/creating-a-kubeconfig-file-for-a-kubernetes-service-account/
https://www.strongdm.com/blog/kubernetes-rbac-role-based-access-control
https://stackoverflow.com/questions/47770676/how-to-create-a-kubectl-config-file-for-serviceaccount