We'll use the default namespace to hold the SA only for demo purposes.
oc create serviceaccount -n default byoc
We use byoc for now.
oc new-project byoc
The rolebinding needs to go into our target namespace. If you created different namespace than byoc in the previous step,
replace --namespace argument below with proper value:
oc create rolebinding --namespace=byoc --clusterrole=cluster-admin --serviceaccount default:byoc byoc-rb
There's this little script I got off Stack Overflow and modified to our needs. It creates the token for the ServiceAccount and then generates and outputs a suitable kubeconfig file. For now, it uses hardcoded values for the service account name and its corresponding namespace.
Save from https://gist.github.com/jannfis/2a8dbdf7344555312244cc5e3c7df12b to byoc.sh, make the script executable (chmod +x byoc.sh) then run it with the remote cluster's API URL as argument like so (replace API URL with your own):
./byoc.sh https://api.ci-ln-7fgyn62-72292.origin-ci-int-gce.dev.rhcloud.com:6443
You can edit the script and set other defaults, if you like:
clusteris the symbolic name of the cluster, only used within the kubeconfig (default isbyoc)nameis the name of the ServiceAccount (default isbyoc)nsis the namespace of the ServiceAccount (default isdefault)
The name of the generated file will be <name>@<cluster>, so by default you will end up with a file named byoc@byoc. You can test the generated kubeconfig as follows:
oc --kubeconfig byoc@byoc get cm --namespace byoc
It should give you a list of ConfigMaps in your remote BYOC's namespace named byoc.
Do it! :-) For now, needs to be of type OpenShift. Be sure to specify the namespace created above as the "Target namespace" in the UI.