Skip to content

Instantly share code, notes, and snippets.

@lotuc
Last active January 4, 2020 07:06
Show Gist options
  • Save lotuc/6e51c3afecb53cc3e6196a224d690d63 to your computer and use it in GitHub Desktop.
Save lotuc/6e51c3afecb53cc3e6196a224d690d63 to your computer and use it in GitHub Desktop.
Create a kubernetes namespace & create a service account with full access to this namespace and access to this namespace only & generate the service account's config file for kubectl
#!/usr/bin/env bash
# namespace you want to create
NAMESPACE=<namespace>
# cluster configuration
CLUSTER_SERVER=https://<your-cluster-endpoint>
CLUSTER_NAME=<your-cluster-name>
# customize these names as needed
ACCOUNT=${NAMESPACE}-admin
ROLE_NAME=${NAMESPACE}-full-access
ROLE_BINDING_NAME=${NAMESPACE}-view
## Create namespace & access resources
echo "---
apiVersion: v1
kind: Namespace
metadata:
name: ${NAMESPACE}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: \"${ACCOUNT}\"
namespace: \"${NAMESPACE}\"
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: \"${ROLE_NAME}\"
namespace: \"${NAMESPACE}\"
rules:
- apiGroups: [\"\", \"extensions\", \"apps\"]
resources: [\"*\"]
verbs: [\"*\"]
- apiGroups: [\"batch\"]
resources:
- jobs
- cronjobs
verbs: [\"*\"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: \"${ROLE_BINDING_NAME}\"
namespace: \"${NAMESPACE}\"
subjects:
- kind: ServiceAccount
name: \"${ACCOUNT}\"
namespace: \"${NAMESPACE}\"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: \"${ROLE_NAME}\"
" > ${NAMESPACE}.yaml
kubectl apply -f ${NAMESPACE}.yaml
## Create access configuration
SECRET=$(kubectl get sa ${ACCOUNT} -n ${NAMESPACE} -o "jsonpath={.secrets[0].name}")
TOKEN=$(kubectl get secret ${SECRET} -n ${NAMESPACE} -o "jsonpath={.data.token}" | base64 -d)
CERT=$(kubectl get secret ${SECRET} -n ${NAMESPACE} -o "jsonpath={.data['ca\.crt']}")
echo "Creating kube_config-${NAMESPACE}.yaml"
echo "
apiVersion: v1
kind: Config
preferences: {}
# Define the cluster
clusters:
- cluster:
certificate-authority-data: $CERT
server: \"${CLUSTER_SERVER}\"
name: \"${CLUSTER_NAME}\"
# Define the user
users:
- name: \"${ACCOUNT}\"
user:
as-user-extra: {}
client-key-data: \"${CERT}\"
token: \"${TOKEN}\"
# Define the context: linking a user to a cluster
contexts:
- context:
cluster: \"$[CLUSTER_NAME]\"
namespace: \"${NAMESPACE}\"
user: \"${ACCOUNT}\"
name: \"${NAMESPACE}\"
# Define current context
current-context: \"${NAMESPACE}\"
" > ./kube_config-${NAMESPACE}.yaml
echo
echo " export KUBECONFIG=`pwd`/kube_config-${NAMESPACE}.yaml"
echo
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment