manifests and kubeconfig template to read-only access to pods on kubernetes

README.md

Steps to Generate kubeconfig file

1. apply manifests
2. run kubeconfiggen.sh
3. use registry-cleaner.kubeconfig: KUBECONFIG=/root/registry-cleaner.kubeconfig kubectl get pods -A

clusterrole.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  name: registry-cleaner-read-only
  namespace: default
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list"]

clusterrolebinding.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: registry-cleaner-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: registry-cleaner-read-only
subjects:
  - kind: ServiceAccount
    name: registry-cleaner
    namespace: default

kubeconfiggen.sh

ca=$(kubectl --context prod get secret registry-cleaner-secret -o jsonpath='{.data.ca\.crt}')
token=$(kubectl --context prod get secret registry-cleaner-secret -o jsonpath='{.data.token}' | base64 --decode)
namespace=$(kubectl --context prod get secret registry-cleaner-secret -o jsonpath='{.data.namespace}' | base64 --decode)

echo "
apiVersion: v1
kind: Config
clusters:
- name: default-cluster
  cluster:
    certificate-authority-data: ${ca}
    server: https://172.16.1.101:6443
contexts:
- name: default-context
  context:
    cluster: default-cluster
    namespace: default
    user: default-user
current-context: default-context
users:
- name: default-user
  user:
    token: ${token}
" > registry-cleaner.kubeconfig

secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: registry-cleaner-secret
  annotations:
    kubernetes.io/service-account.name: registry-cleaner
type: kubernetes.io/service-account-token

serviceaccount.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: registry-cleaner
  namespace: default