-
kubectl create namespace kubernetes-plugin-test
-
kubectl apply -n kubernetes-plugin-test -f service-account.yml
- service-account.yml
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: jenkins
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: jenkins
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: jenkins
subjects:
- kind: ServiceAccount
name: jenkins
- Extract ca.crt and token from secret using this script
#!/bin/bash
SERVICE_ACCOUNT="jenkins"
NAMESPACE="kubernetes-plugin-test"
SECRET=$(kubectl get serviceaccount $SERVICE_ACCOUNT -n $NAMESPACE -o json | jq -Mr '.secrets[].name | select(contains("token"))')
TOKEN=$(kubectl get secret $SECRET -n $NAMESPACE -o json | jq -Mr '.data.token' | base64 -d)
echo
echo $TOKEN
echo
kubectl get secret $SECRET -n $NAMESPACE -o json | jq -Mr '.data["ca.crt"]' | base64 -d > /tmp/ca.crt
cat /tmp/ca.crt
- the output script will be something like
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLXBsdWdpbi10ZXN0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImplbmtpbnMtdG9rZW4tdmxmaDgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiamVua2lucyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImQ1NTVkN2Q5LTZkOGMtMTFlOS04MDZjLTA4MDAyNzcwYTMzNyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlcm5ldGVzLXBsdWdpbi10ZXN0OmplbmtpbnMifQ.pGqSNoN3cgctv_FlzYMSLZX94vHgR4qNuORzYGaXmcy-VpjW4U6CJpvOKgJ0wzHOlb0aESH1kgumiFqsti-41yB_woTJIqQ3OY_-SwBXISP6razdGL5d0KJcFk0dIjLQAViWgqFeP09CAU1-eR3atJrVGCBiUI79uo1fSZ3sKRRRievcX4pu0ec-IxOvgJ399ePTfIo4adp54SbGTAsaSyapIU53wg15y2fGcurvPcb1JAdk7Ryq7T4VoCA5mV-Xcewe7SG6N4cknFyQVFqVII-JPaa2__loqOyjG0dLxUfW4fKpA_Op0eXxsYUoyBEK57c6yRGc5D0Easju9xM3SQ
-----BEGIN CERTIFICATE-----
MIIC5zCCAc+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5p
a3ViZUNBMB4XDTE4MDYxMjA3MjEyM1oXDTI4MDYwOTA3MjEyM1owFTETMBEGA1UE
AxMKbWluaWt1YmVDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALFp
Tw/HoXvVdUQgfIMhAUu5JMCtoLTi22NMHEnZgjxXYQ+zev/e4wOEuShp/9fyITox
5TJg47s97uQzmwZzFxI3iixbnnyGigcgvEZ+VBXng3ka17bSgb5fakJl/WcKTVrT
RM+cC6U6ymyqr21+hWhNliG3ZEAJ8zlnQIrCSsZZ7YY24Ux+opL7ivH+D42KivRh
2AYOMwz+J/YLE5vUL1cjuIAIlvx8SBnXIY0Fxo/g1FQTyX++0SpVFAYG/mADQhBL
hdTQWY4RyMUOVnNqEalUQnaSoDRYfEJapuQxGUIXBbAykmHPobwXpGzDz4Zt3TcF
2C6VT7Ml7KX47N3NoF0CAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQW
MBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4IBAQCXrA6na+UIgYJRsrTrbSqimrZzz3067KlLVBpGQHdWx45LAmo5
aeekpFXHlgh4+pXmoME/QW0d8rz2DCbWl9+/P9h3zNeMG+K6ZiMnvsBVrqatp+h3
P+bIj8p9neQQruTuZcYUA8BNpCcmPIHz4TaRn4rI4SQsIObgjOcYynF6rVDnP8nk
+4SVu8nI/My3jqwhB7uYydwgWSVGkuaED0AJ5YexjiZ+NcD3F9VlrYHxcjqevtlS
H/heMiUyFhjps7q8Rli8H0fLX7K0GK8V9vO9XT5+7DN0dAvXnGHijuRYgm6lfpDF
m5DtzckYlHxbj1hIEnEMaIVRn+mLTXluLxTd
-----END CERTIFICATE-----
-
Create a jenkins credential "Secret Text" type, and put the token in there.
-
Go to the kubernetes plugin configuration on jenkins and paste the certificate and select the credential