Last active
November 28, 2018 08:49
-
-
Save leoh0/ae7db2adad939e1c0c805cd1879ebbb6 to your computer and use it in GitHub Desktop.
Create admin token for admin.conf which is free from cert(PKI) in kubernetes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
clusters: | |
- cluster: | |
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNE1URXlNakUxTkRBeU1Wb1hEVEk0TVRFeE9URTFOREF5TVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBS3BZCnBSLzVnWkdNUmpKTUlWM0F4Rm1PaFdiTkhHZm5UUWxzRlh6TVpmaGxMNXA2VGZjc1dJb25TUUQ0S2YyZXI3STAKL21ZZ3EwbXBIV1I5MmNLZ1dRU0NDTDJRNTRLRVBaRGV5N3d4TXpreDJiQXFDWDRUbW05dHVwcmpCSVRFdDRNcQpTWUtNelhMWW04RVByUHA5cUU0MGxrZFlIdXZPdExHMnhWUGY4SDVwbWM4aVpiUHFUdFhpT3NjeHpjVjMveFF4CnQ5dDJDT25kbWNMWUFJVzlqcVMxb0xOVGRlV3RXdytsd1ZTWmw2clg4K3ROQldJdUFCeGdCYkEyakxud1hDbE8KdXE5V3hlNkc0R1IxUFVjTStscFNLQURuSjIyQmJ1VzhaRmlvYkxhNzIvOFlXcCtkS1pncDhpWDBwWXpGQ0JtTgp5WDk5MHZNT3NaWVp6TlIvWllrQ0F3RUFCYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkJRRUxCUUFEZ2dFQkFESm01NDh1SEp1YWE0dlFKK1I3bytvSk50MkEKdm8zMzNlREtFclNkNjNPa0Rvc0k3NDlRa1FTV0lZb29Ed3JWUEtzT3FhYnFiODZRTm41Z2hGNElyQi80ZlpVSgpuZWhEVkpkMzM4M2d3RXlmRExldVRIMDJPTzltMGtsSTdXSFZ0WUJ6S2Z6ZzBKaDdCekJueDEwUmp0M2d5QXExCmNEbitSWFl2eDBlZVFNRUpUQlVOYXptWFh6b2RsTktOcDlYL1FwaEpIb2NnRVBCV3NucENnUFlnR3ZoRG5nK2EKRnRUbUxDSElxM1dBOVVXdlJ6cFZaSHJHWExBQ284cHhva084bXJlUXFXSEdmNE5zc3ZZWnhrbThUTDkraGZrYwpiZUVrMnJiMFFPN2RLY0lTVzBjZEUrMFhqOUQxM2xkR014UjRYUGVYQitWU0Y3a2pDUGZPZjlwbWRCVT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ== | |
server: https://k8s.test.com:6443 | |
name: kubernetes | |
contexts: | |
- context: | |
cluster: kubernetes | |
user: cluster-admin | |
name: cluster-admin@kubernetes | |
current-context: cluster-admin@kubernetes | |
kind: Config | |
users: | |
- name: cluster-admin | |
user: | |
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJjbHVzdGVyLWFkbWluLXRva2VuLXZzNXZ3Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImNsdXN0ZXItYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhW2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIwMDAzYWI5MC1lZTZkLTExZTgtYTVjMS1mYTE2M2U1NDNmNjUiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06Y2x1c3Rlci1hZG1pbiJ9.Jvt2WhSZqkB9zX1szKmERXTlf_pIJircgOgJA9NeLnECo8KhxFSJzm404Ua4BS6v2JkCkGL5-lwKuKNL5_2N1hIn3Q9F5irZf2GpYrxt6_oigRvgErWCfoAcFYngPxVoJrWY7CmizhrQLht0AhLzKAHpzLWGVNjkk7Kmx5rjxJrGRE01UAYUXxtGBW3PX7x61vsuBOYau8hNIIIRZJPdPh05hxZc82t8XOjE1qtKsiyzn3pFPLRmH_hPSKT8GDZhlQ2qLhazAejJkWgAu2r4WSucuSePSh6J37zBPgat-7GUHOZL_HNDTBNtplAEEsOgrLj_cOKvyuTPryRZw_8WtA |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# In general, operators need a `admin.conf` file when they use the kubectl | |
# for managing k8s. | |
# In `admin.conf` file, there is a user section for authenticating k8s which is | |
# configured by PKI datas like `certificate-data` and `key-data`. | |
# This PKI is great authentication system in k8s, but it has some limitations. | |
# For example, you need to care creating new certs before it is expired and you | |
# can't revoke this `admin.conf` file until it is expired. If you're using | |
# `kubespray`, it's expiration date setted 10 years after so you don't need to | |
# create this `admin.conf` again in that time but it still has revoking | |
# `admin.conf` problem. | |
# And also, if you interest about replacing authentication method other than PKI | |
# in admin.conf, you can use `token-auth-file` config in APIserver for replacing | |
# PKI. | |
# But, it is related with APIserver so little annoying when you are using this | |
# config. | |
# So, I propose another method for solving this problem. | |
# This method used `JWT token` which was generated by `service-account` which | |
# has a `cluster-admin` role. | |
kubectl create serviceaccount cluster-admin -n kube-system | |
kubectl create clusterrolebinding cluster-admin-sa \ | |
--clusterrole=cluster-admin \ | |
--serviceaccount=kube-system:cluster-admin | |
SECRET_NAME=$(kubectl get sa -n kube-system cluster-admin \ | |
-o go-template="{{ (index .secrets 0).name }}") | |
TOKEN=$(kubectl get secrets -n kube-system $SECRET_NAME \ | |
-o go-template="{{ .data.token }}" | base64 -d) | |
kubectl config set-credentials cluster-admin --token=$TOKEN | |
CLUSTER_NAME=$(kubectl config get-clusters | tail -n1) | |
kubectl config set-context cluster-admin@${CLUSTER_NAME} \ | |
--cluster=${CLUSTER_NAME} --user=cluster-admin | |
kubectl config use-context cluster-admin@${CLUSTER_NAME} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment