Forked from innovia/kubernetes_add_service_account_kubeconfig.sh
Last active
November 1, 2019 21:12
-
-
Save StevenACoffman/ac1e2c36dcad2736816fb8d11f3d827d to your computer and use it in GitHub Desktop.
Create a service account and generate a kubeconfig file for it - this will also set the default namespace for the service account, and RBAC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash -e | |
# NOTE: CHANGE THE S3_PREFIX!!! | |
# Add user to k8s 1.6+ using service account, RBAC for jobs and extensions only | |
if [[ -z "$1" ]] || [[ -z "$2" ]];then | |
echo "usage: $0 <service-account> <namespace (stg|prod)>" | |
exit 1 | |
fi | |
SERVICE_ACCOUNT_NAME=$1 | |
NAMESPACE=$2 | |
KUBECFG_FILE_NAME="/tmp/k8s-${SERVICE_ACCOUNT_NAME}-conf" | |
CA_FILE_LOCATION="/tmp/ca.crt" | |
S3_PREFIX="s3://EXAMPLE_BUCKET/certs-and-keys/k8s-cluster" | |
echo "Creating a service account: ${SERVICE_ACCOUNT_NAME}" | |
kubectl create sa "${SERVICE_ACCOUNT_NAME}" -n ${NAMESPACE} | |
echo "Adding RBAC for Jobs for service account ${SERVICE_ACCOUNT_NAME}" | |
cat <<EOF | kubectl create -f - | |
--- | |
kind: Role | |
apiVersion: rbac.authorization.k8s.io/v1beta1 | |
metadata: | |
name: ${SERVICE_ACCOUNT_NAME}-role | |
namespace: ${NAMESPACE} | |
rules: | |
- apiGroups: ["", "extensions", "jobs"] | |
resources: ["*"] | |
verbs: ["*"] | |
--- | |
kind: RoleBinding | |
apiVersion: rbac.authorization.k8s.io/v1beta1 | |
metadata: | |
name: ${SERVICE_ACCOUNT_NAME}-binding | |
namespace: ${NAMESPACE} | |
subjects: | |
- kind: ServiceAccount | |
name: ${SERVICE_ACCOUNT_NAME} | |
namespace: ${NAMESPACE} | |
roleRef: | |
kind: Role | |
name: ${SERVICE_ACCOUNT_NAME}-role | |
apiGroup: rbac.authorization.k8s.io | |
EOF | |
echo -e "\\nGetting secret of service account ${SERVICE_ACCOUNT_NAME}" | |
SECRET=$(kubectl get sa "${SERVICE_ACCOUNT_NAME}" -n ${NAMESPACE} -o json | jq -r .secrets[].name) | |
echo "secret = ${SECRET}" | |
echo -e "\\nExtracting ca.crt from secret" | |
kubectl get secret \ | |
"${SECRET}" -n ${NAMESPACE} -o json | jq -r '.data["ca.crt"]' | base64 -D > "${CA_FILE_LOCATION}" | |
echo -e "\\nGetting user token" | |
USER_TOKEN=$(kubectl get secret "${SECRET}" -n ${NAMESPACE} -o json | jq -r '.data["token"]' | base64 -D) | |
CONTEXT_NAME=$(kubectl config current-context) | |
echo -e "\\nSetting current context to: $CONTEXT_NAME" | |
CLUSTER_NAME=$(kubectl config view -o jsonpath="{.contexts[?(@.name==\"${CONTEXT_NAME}\")].context.cluster}") | |
echo "cluster_name: ${CLUSTER_NAME}" | |
ENDPOINT=$(kubectl config view -o jsonpath="{.clusters[?(@.name == \"${CLUSTER_NAME}\")].cluster.server}") | |
echo "endpoint: ${ENDPOINT}" | |
# Set up the config | |
echo -e "\\nPreparing ${KUBECFG_FILE_NAME}" | |
echo "Setting a cluster entry in kubeconfig" | |
# $KUBECONFIG environment variable sets the config in file path | |
KUBECONFIG="${KUBECFG_FILE_NAME}" kubectl config set-cluster "${CLUSTER_NAME}" \ | |
--embed-certs=true \ | |
--server="${ENDPOINT}" \ | |
--certificate-authority="${CA_FILE_LOCATION}" | |
echo "Setting a user entry in kubeconfig" | |
KUBECONFIG="${KUBECFG_FILE_NAME}" kubectl config \ | |
set-credentials "${SERVICE_ACCOUNT_NAME}"-"${CLUSTER_NAME#cluster-}" \ | |
--token="${USER_TOKEN}" | |
echo "Setting a context entry in kubeconfig" | |
KUBECONFIG="${KUBECFG_FILE_NAME}" kubectl config \ | |
set-context "${SERVICE_ACCOUNT_NAME}"-"${CLUSTER_NAME#cluster-}" \ | |
--cluster="${CLUSTER_NAME}" \ | |
--user="${SERVICE_ACCOUNT_NAME}"-"${CLUSTER_NAME#cluster-}" \ | |
--namespace="${NAMESPACE}" | |
echo "Setting the current-context in the kubeconfig file" | |
KUBECONFIG=${KUBECFG_FILE_NAME} kubectl config \ | |
use-context "${SERVICE_ACCOUNT_NAME}"-"${CLUSTER_NAME#cluster-}" | |
S3_LOCATION="${S3_PREFIX}/${CLUSTER_NAME}-${SERVICE_ACCOUNT_NAME}-service-account-kubecfg" | |
echo "Uploading ${KUBECFG_FILE_NAME} to ${S3_LOCATION}" | |
aws s3 cp "${KUBECFG_FILE_NAME}" "${S3_LOCATION}" | |
echo "done! Test with: " | |
echo "aws s3 cp \"${S3_LOCATION}\" \"${KUBECFG_FILE_NAME}\"" | |
echo "KUBECONFIG=${KUBECFG_FILE_NAME} kubectl get jobs" |
We use these service accounts for automated external (to kubernetes) job triggers.
I updated the script
https://gist.github.com/innovia/fbba8259042f71db98ea8d4ad19bd708
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Ref for original so0k/8fad3b1639b3d70cd841703fda67f16b/revisions