Last active
June 1, 2022 00:03
-
-
Save sandipchitale/668602f4e5003e99f09e2f56e637045a to your computer and use it in GitHub Desktop.
Service account based access to a cluster #kubeconfig #kubernetes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Create Service Account | |
| --- | |
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: cluster-admin-service-account | |
| namespace: kube-system | |
| # Create Cluster Administrator Cluster Role | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRole | |
| metadata: | |
| name: cluster-admin-service-account-cluster-role | |
| rules: | |
| - apiGroups: | |
| - '*' | |
| resources: | |
| - '*' | |
| verbs: | |
| - '*' | |
| - nonResourceURLs: | |
| - '*' | |
| verbs: | |
| - '*' | |
| # Create Cluster Administrator Cluster Role Binding | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRoleBinding | |
| metadata: | |
| name: cluster-admin-service-account-cluster-role-binding | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: cluster-admin-service-account-cluster-role | |
| subjects: | |
| - kind: ServiceAccount | |
| namespace: kube-system | |
| name: cluster-admin-service-account | |
| # | |
| # | |
| # | |
| # Now get the secret assocaited with the service account | |
| # > kubectl describe sa -n kube-system cluster-admin-service-account | |
| # Name: cluster-admin-service-account | |
| # Namespace: kube-system | |
| # Labels: <none> | |
| # Annotations: <none> | |
| # Image pull secrets: <none> | |
| # Mountable secrets: cluster-admin-service-account-token-rjp2n | |
| # Tokens: cluster-admin-service-account-token-rjp2n | |
| # Events: <none> | |
| # | |
| # | |
| # Now describe the secret | |
| # > kubectl describe secret -n kube-system cluster-admin-service-account-token-rjp2n | |
| # Name: cluster-admin-service-account-token-rjp2n | |
| # Namespace: kube-system | |
| # Labels: <none> | |
| # Annotations: kubernetes.io/service-account.name: cluster-admin-service-account | |
| # kubernetes.io/service-account.uid: cf2284aa-0799-4bcc-99ea-1b0d40ff0861 | |
| # | |
| # Type: kubernetes.io/service-account-token | |
| # | |
| # Data | |
| # ==== | |
| # token: <token> | |
| # ca.crt: 1066 bytes | |
| # namespace: 11 bytes | |
| # | |
| # | |
| # Now create the user and context like so in the KUBECONFIG | |
| # users: | |
| # - name: cluster-admin-service-account | |
| # user: | |
| # token: <token> | |
| # - context: | |
| # cluster: cluster-name | |
| # namespace: kube-system | |
| # user: cluster-admin-service-account | |
| # name: cluster-name-cluster-admin-service-account |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment