Skip to content

Instantly share code, notes, and snippets.

Last active January 29, 2024 23:00
Show Gist options
  • Save innovia/fbba8259042f71db98ea8d4ad19bd708 to your computer and use it in GitHub Desktop.
Save innovia/fbba8259042f71db98ea8d4ad19bd708 to your computer and use it in GitHub Desktop.
Create a service account and generate a kubeconfig file for it - this will also set the default namespace for the user
set -e
set -o pipefail
# Add user to k8s using service account, no RBAC (must create RBAC after this script)
if [[ -z "$1" ]] || [[ -z "$2" ]]; then
echo "usage: $0 <service_account_name> <namespace>"
exit 1
create_target_folder() {
echo -n "Creating target directory to hold files in ${TARGET_FOLDER}..."
mkdir -p "${TARGET_FOLDER}"
printf "done"
create_service_account() {
echo -e "\\nCreating a service account in ${NAMESPACE} namespace: ${SERVICE_ACCOUNT_NAME}"
kubectl create sa "${SERVICE_ACCOUNT_NAME}" --namespace "${NAMESPACE}"
get_secret_name_from_service_account() {
echo -e "\\nGetting secret of service account ${SERVICE_ACCOUNT_NAME} on ${NAMESPACE}"
SECRET_NAME=$(kubectl get sa "${SERVICE_ACCOUNT_NAME}" --namespace="${NAMESPACE}" -o json | jq -r .secrets[].name)
echo "Secret name: ${SECRET_NAME}"
extract_ca_crt_from_secret() {
echo -e -n "\\nExtracting ca.crt from secret..."
kubectl get secret --namespace "${NAMESPACE}" "${SECRET_NAME}" -o json | jq \
-r '.data["ca.crt"]' | base64 -D > "${TARGET_FOLDER}/ca.crt"
printf "done"
get_user_token_from_secret() {
echo -e -n "\\nGetting user token from secret..."
USER_TOKEN=$(kubectl get secret --namespace "${NAMESPACE}" "${SECRET_NAME}" -o json | jq -r '.data["token"]' | base64 -D)
printf "done"
set_kube_config_values() {
context=$(kubectl config current-context)
echo -e "\\nSetting current context to: $context"
CLUSTER_NAME=$(kubectl config get-contexts "$context" | awk '{print $3}' | tail -n 1)
echo "Cluster name: ${CLUSTER_NAME}"
ENDPOINT=$(kubectl config view \
-o jsonpath="{.clusters[?( == \"${CLUSTER_NAME}\")].cluster.server}")
echo "Endpoint: ${ENDPOINT}"
# Set up the config
echo -e "\\nPreparing k8s-${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-conf"
echo -n "Setting a cluster entry in kubeconfig..."
kubectl config set-cluster "${CLUSTER_NAME}" \
--kubeconfig="${KUBECFG_FILE_NAME}" \
--server="${ENDPOINT}" \
--certificate-authority="${TARGET_FOLDER}/ca.crt" \
echo -n "Setting token credentials entry in kubeconfig..."
kubectl config set-credentials \
--kubeconfig="${KUBECFG_FILE_NAME}" \
echo -n "Setting a context entry in kubeconfig..."
kubectl config set-context \
--kubeconfig="${KUBECFG_FILE_NAME}" \
--cluster="${CLUSTER_NAME}" \
echo -n "Setting the current-context in the kubeconfig file..."
kubectl config use-context "${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}" \
echo -e "\\nAll done! Test with:"
echo "KUBECONFIG=${KUBECFG_FILE_NAME} kubectl get pods"
echo "you should not have any permissions by default - you have just created the authentication part"
echo "You will need to create RBAC permissions"
Copy link

so0k commented Jan 25, 2018

Copy link

boskiv commented Oct 7, 2018

I'm starting it with kubespray setup on coreos-stable
Getting error:

Getting user token from secret...doneerror: current-context is not set

Because of:

core@k8s-01 ~ $ kubectl config view
apiVersion: v1
clusters: []
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []

Copy link

boskiv commented Oct 7, 2018

Also error in decode option pass to base64

base64: invalid option -- 'D'

It shoud be -d in Ubuntu 16.04 and Coreos

Copy link

base64 --decode should be OK for Linux and MacOS.

Copy link

Works properly, except for the typo in base64 command. Just use -d instead of -D.

Copy link

Works great, can someone explain what kind of RBAC rules are needed, it was just working for me.

Copy link

Works great, can someone explain what kind of RBAC rules are needed, it was just working for me.

I am new to kubernetes, I think if you are made developer to the namespace, you should able to create kubeconf from SA, RBAC rules for the user I have:

  • apiGroups: ["", "batch", "extensions", "apps"]
    resources: [""]
    verbs: ["

Copy link

nodox commented Nov 20, 2019

What RBAC rules are needed? Doesn't feel like this is a complete example gist.

Copy link

nodox commented Nov 20, 2019

# permissions.yaml
kind: ClusterRoleBinding
  name: deliverybot-clusterrolebinding
  - kind: ServiceAccount
    name: deliverybot
    namespace: default
  kind: ClusterRole
  name: cluster-admin
  apiGroup: ""

Heres what I used to get access. You'll want to update the service account name to be whatever you used in ./setup command.

Heres how I did it. First I saved the above in a file names permissions.yaml and ran the following.

chmod +x
./ deliverybot default
kubectl apply -f permissions.yaml 
KUBECONFIG=/tmp/kube/k8s-deliverybot-default-conf kubectl get pods

Copy link

xtavras commented Nov 25, 2019

Thanks! I've added new function for creating RBAC, not sure if "sed" will work on MacOS though.

 apply_rbac() {
    echo -e -n "\\nApplying RBAC permissions..."
    sed -e "s|my_account|${SERVICE_ACCOUNT_NAME}|g" -e "s|my_namespace|${NAMESPACE}|g" \
    permissions-template.yaml > permissions_${SERVICE_ACCOUNT_NAME}.yaml     
    kubectl apply -f permissions_${SERVICE_ACCOUNT_NAME}.yaml
    printf "done"

content of permissions-template.yaml

kind: ClusterRoleBinding
  name: my_account-clusterrolebinding
  - kind: ServiceAccount
    name: my_account
    namespace: my_namespace
  kind: ClusterRole
  name: cluster-admin
  apiGroup: ""

Full script with some other adjustemnts

Copy link

One gotcha I've encountered is that the service account's secret is not always available immediately after a successful create sa.

AFAICT, the SA token controller eventually creates it, so some may want to add polling logic (which is seen in the kubernetes test coverage of SA token creation).

I'm not sure if there are bash libs for that, but I've found useful in case anyone else references the above for creating a larger toolset in Go (e.g. with

Copy link

chaimfn commented Dec 15, 2019

It is prompt me for Username & Password

Copy link

brew install jq

Copy link

and this is how to do it with openshift :

Copy link

Hi, I create a complete project with a part of this wonderful script , don't hesitate to comment it!

Thank you

Copy link

It takes too much time, is it expected?

Copy link

Script almost finishes, but ends with:

Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:default:helm-github-actions" cannot list resource "pods" in API group "" in the namespace "default"

Specifically this command:


Copy link

# permissions.yaml
kind: ClusterRoleBinding
  name: deliverybot-clusterrolebinding
  - kind: ServiceAccount
    name: deliverybot
    namespace: default
  kind: ClusterRole
  name: cluster-admin
  apiGroup: ""

Heres what I used to get access. You'll want to update the service account name to be whatever you used in ./setup command.

Heres how I did it. First I saved the above in a file names permissions.yaml and ran the following.

chmod +x
./ deliverybot default
kubectl apply -f permissions.yaml 
KUBECONFIG=/tmp/kube/k8s-deliverybot-default-conf kubectl get pods

Ah - this fixed it. Thanks!

Copy link

sdarwin commented Mar 13, 2023

Does this have an effect on the process?

Service Account Token Secrets In Kubernetes v1.24 and later, the LegacyServiceAccountTokenNoAutoGeneration feature gate prevents Kubernetes from automatically creating these tokens for ServiceAccounts. LegacyServiceAccountTokenNoAutoGeneration is enabled by default; in other words, Kubernetes does not create these tokens.

Here is an updated version which creates the api token manually.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment