Skip to content

Instantly share code, notes, and snippets.

@mohanpedala
Last active Apr 24, 2019
Embed
What would you like to do?
k8s service accounts
  1. Create service account for user Alice
kubectl create sa alice
  1. Get related secret
secret=$(kubectl get sa alice -o json | jq -r .secrets[].name)
  1. Get ca.crt from secret (using OSX base64 with -D flag for decode)
kubectl get secret $secret -o json | jq -r '.data["ca.crt"]' | base64 -D > ca.crt
  1. Get service account token from secret
user_token=$(kubectl get secret $secret -o json | jq -r '.data["token"]' | base64 -D)
  1. Get information from your kubectl config (current-context, server..)
# get current context
c=`kubectl config current-context`

# get cluster name of context
name=`kubectl config get-contexts $c | awk '{print $3}' | tail -n 1`

# get endpoint of current context 
endpoint=`kubectl config view -o jsonpath="{.clusters[?(@.name == \"$name\")].cluster.server}"`
On a fresh machine, follow these steps (given the ca.cert and $endpoint information retrieved above:
Pre-req for following steps:
    - Kubectl
  1. Set cluster (run in directory where ca.crt is stored)
kubectl config set-cluster cluster-staging \
  --embed-certs=true \
  --server=$endpoint \
  --certificate-authority=./ca.crt
  1. Set user credentials
kubectl config set-credentials alice-staging --token=$user_token
  1. Define the combination of alice user with the staging cluster
kubectl config set-context alice-staging \
  --cluster=cluster-staging \
  --user=alice-staging \
  --namespace=alice
  1. Switch current-context to alice-staging for the user
kubectl config use-context alice-staging
  1. To control user access with policies (using ABAC), you need to create a policy file (for example):
{
  "apiVersion": "abac.authorization.kubernetes.io/v1beta1",
  "kind": "Policy",
  "spec": {
    "user": "system:serviceaccount:default:alice",
    "namespace": "default",
    "resource": "*",
    "readonly": true
  }
}
  1. Provision this policy.json on every master node and add --authorization-mode=ABAC --authorization-policy-file=/path/to/policy.json flags to API servers
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment