We'll use the default
namespace to hold the SA only for demo purposes.
oc create serviceaccount -n default byoc
We use byoc
for now.
oc new-project byoc
The rolebinding needs to go into our target namespace. If you created different namespace than byoc
in the previous step,
replace --namespace
argument below with proper value:
oc create rolebinding --namespace=byoc --clusterrole=cluster-admin --serviceaccount default:byoc byoc-rb
There's this little script I got off Stack Overflow and modified to our needs. It creates the token for the ServiceAccount and then generates and outputs a suitable kubeconfig file. For now, it uses hardcoded values for the service account name and its corresponding namespace.
Save from https://gist.github.com/jannfis/2a8dbdf7344555312244cc5e3c7df12b to byoc.sh
, make the script executable (chmod +x byoc.sh
) then run it with the remote cluster's API URL as argument like so (replace API URL with your own):
./byoc.sh https://api.ci-ln-7fgyn62-72292.origin-ci-int-gce.dev.rhcloud.com:6443
You can edit the script and set other defaults, if you like:
cluster
is the symbolic name of the cluster, only used within the kubeconfig (default isbyoc
)name
is the name of the ServiceAccount (default isbyoc
)ns
is the namespace of the ServiceAccount (default isdefault
)
The name of the generated file will be <name>@<cluster>
, so by default you will end up with a file named byoc@byoc
. You can test the generated kubeconfig as follows:
oc --kubeconfig byoc@byoc get cm --namespace byoc
It should give you a list of ConfigMaps in your remote BYOC's namespace named byoc
.
Do it! :-) For now, needs to be of type OpenShift. Be sure to specify the namespace created above as the "Target namespace" in the UI.