Last active
March 17, 2020 17:35
-
-
Save marcelaraujo/936f9d30a8c3b846b7dd955d6f8ab891 to your computer and use it in GitHub Desktop.
Get the Service Account and Token. Generate the Kubeconfig
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Get the Service Account and Token. Generate the Kubeconfig | |
# Update these to match your environment | |
SERVICE_ACCOUNT_NAME=spinnaker-service-account | |
CONTEXT=$(kubectl config current-context) | |
NAMESPACE=spinnaker | |
NEW_CONTEXT=spinnaker | |
KUBECONFIG_FILE="kubeconfig-sa" | |
SECRET_NAME=$(kubectl get serviceaccount ${SERVICE_ACCOUNT_NAME} \ | |
--context ${CONTEXT} \ | |
--namespace ${NAMESPACE} \ | |
-o jsonpath='{.secrets[0].name}') | |
TOKEN_DATA=$(kubectl get secret ${SECRET_NAME} \ | |
--context ${CONTEXT} \ | |
--namespace ${NAMESPACE} \ | |
-o jsonpath='{.data.token}') | |
TOKEN=$(echo ${TOKEN_DATA} | base64 -d) | |
# Create dedicated kubeconfig | |
# Create a full copy | |
kubectl config view --raw > ${KUBECONFIG_FILE}.full.tmp | |
# Switch working context to correct context | |
kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp config use-context ${CONTEXT} | |
# Minify | |
kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp \ | |
config view --flatten --minify > ${KUBECONFIG_FILE}.tmp | |
# Rename context | |
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \ | |
rename-context ${CONTEXT} ${NEW_CONTEXT} | |
# Create token user | |
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \ | |
set-credentials ${CONTEXT}-${NAMESPACE}-token-user \ | |
--token ${TOKEN} | |
# Set context to use token user | |
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \ | |
set-context ${NEW_CONTEXT} --user ${CONTEXT}-${NAMESPACE}-token-user | |
# Set context to correct namespace | |
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \ | |
set-context ${NEW_CONTEXT} --namespace ${NAMESPACE} | |
# Flatten/minify kubeconfig | |
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \ | |
view --flatten --minify > ${KUBECONFIG_FILE} | |
# Remove tmp | |
rm ${KUBECONFIG_FILE}.full.tmp | |
rm ${KUBECONFIG_FILE}.tmp |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# spinnaker-clusterrolebinding.yml | |
apiVersion: rbac.authorization.k8s.io/v1beta1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: spinnaker-admin | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: cluster-admin | |
subjects: | |
- kind: ServiceAccount | |
name: spinnaker-service-account | |
namespace: NAMESPACE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# spinnaker-role-and-rolebinding-target.yml | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: Role | |
metadata: | |
name: spinnaker-role | |
namespace: target # Should be namespace you are granting access to | |
rules: | |
- apiGroups: ["*"] | |
resources: ["*"] | |
verbs: ["*"] | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: RoleBinding | |
metadata: | |
name: spinnaker-rolebinding | |
namespace: target # Should be namespace you are granting access to | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: Role | |
name: spinnaker-role # Should match name of Role | |
subjects: | |
- namespace: source # Should match namespace where SA lives | |
kind: ServiceAccount | |
name: spinnaker-service-account # Should match service account name, above |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# spinnaker-service-account.yml | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: spinnaker-service-account | |
namespace: NAMESPACE |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment