Created
May 17, 2022 17:42
-
-
Save mdrakiburrahman/a7235f792c0037828361c620ae778606 to your computer and use it in GitHub Desktop.
Generating a User kubeconfig and using that kubeconfig instead of Cluster Admin for onboarding Arc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Here is a sample set of roles we'd want our SA/User account to have, this can be anything and the kubeconfig will inherit it | |
kubectl apply -f https://gist.githubusercontent.com/mdrakiburrahman/d94613872601c397f3a052492f168827/raw/a7909c131beb02f45970f2b605178859c6882555/tina-onboarder-rbac.yaml | |
# = = = = = = = = = | |
# Create a kubeconfig from this that overwrites our Cluster Admin that we get when we install a new K8s cluster | |
# = = = = = = = = = | |
# Service Account is in default but because of ClusterRoleBinding it has Cluster scope | |
namespace=default | |
serviceAccount=arc-data-deployer | |
clusterName=microk8s-cluster | |
server=https://172.21.192.194:16443 # Replace every new cluster | |
# Cache variables for Kubeconfig | |
secretName=$(kubectl --namespace $namespace get serviceAccount $serviceAccount -o jsonpath='{.secrets[0].name}') | |
ca=$(kubectl --namespace $namespace get secret/$secretName -o jsonpath='{.data.ca\.crt}') | |
token=$(kubectl --namespace $namespace get secret/$secretName -o jsonpath='{.data.token}' | base64 --decode) | |
# Remove previous cluster-admin kubeconfig | |
rm $HOME/.kube/config | |
kubectl get pods --all-namespaces # This will not work since we blew away the kubeconfig | |
# The connection to the server localhost:8080 was refused - did you specify the right host or port? | |
# Create scoped kubeconfig | |
echo " | |
apiVersion: v1 | |
kind: Config | |
clusters: | |
- name: ${clusterName} | |
cluster: | |
certificate-authority-data: ${ca} | |
server: ${server} | |
contexts: | |
- name: ${serviceAccount}@${clusterName} | |
context: | |
cluster: ${clusterName} | |
namespace: ${namespace} | |
user: ${serviceAccount} | |
users: | |
- name: ${serviceAccount} | |
user: | |
token: ${token} | |
current-context: ${serviceAccount}@${clusterName} | |
" >> $HOME/.kube/config | |
# Now, any kubectl commands we run takes on the permissions of the SA/User Account | |
kubectl get pods |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment