Script Usage instruction.
chmod +x sa-kubeconfig-gen.sh
./sa-kubeconfig-gen.sh user-sa staging rbac-user-role.yaml
Last active
December 20, 2022 03:54
-
-
Save ragul28/484a527fc20d881c025eee671281537b to your computer and use it in GitHub Desktop.
kubeconfig generator script for service account with RBAC.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -e | |
| set -o pipefail | |
| # Add user to k8s using service account, RBAC role file needed | |
| if [[ -z "$1" ]] || [[ -z "$2" ]] || [[ -z "$3" ]]; then | |
| echo "usage: $0 <service_account_name> <namespace> [rbac-role-yaml]" | |
| exit 1 | |
| fi | |
| SERVICE_ACCOUNT_NAME=$1 | |
| NAMESPACE="$2" | |
| RBAC_ROLE_YAML=$3 | |
| KUBECFG_FILE_NAME="./kube/k8s-${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-conf" | |
| TARGET_FOLDER="./kube" | |
| create_target_folder() { | |
| echo -n "Creating target directory to hold files in ${TARGET_FOLDER}..." | |
| mkdir -p "${TARGET_FOLDER}" | |
| printf "done" | |
| } | |
| create_service_account() { | |
| echo -e "\\nCreating a service account in ${NAMESPACE} namespace: ${SERVICE_ACCOUNT_NAME}" | |
| kubectl create sa "${SERVICE_ACCOUNT_NAME}" --namespace "${NAMESPACE}" | |
| } | |
| create_rbac_role() { | |
| echo -e "\\nCreating a rbac role in ${NAMESPACE} namespace: ${RBAC_ROLE_YAML}" | |
| kubectl create -f $RBAC_ROLE_YAML --namespace "${NAMESPACE}" | |
| } | |
| get_secret_name_from_service_account() { | |
| echo -e "\\nGetting secret of service account ${SERVICE_ACCOUNT_NAME} on ${NAMESPACE}" | |
| SECRET_NAME=$(kubectl get sa "${SERVICE_ACCOUNT_NAME}" --namespace="${NAMESPACE}" -o json | jq -r .secrets[].name) | |
| echo "Secret name: ${SECRET_NAME}" | |
| } | |
| extract_ca_crt_from_secret() { | |
| echo -e -n "\\nExtracting ca.crt from secret..." | |
| kubectl get secret --namespace "${NAMESPACE}" "${SECRET_NAME}" -o json | jq \ | |
| -r '.data["ca.crt"]' | base64 -d > "${TARGET_FOLDER}/ca.crt" | |
| printf "done" | |
| } | |
| get_user_token_from_secret() { | |
| echo -e -n "\\nGetting user token from secret..." | |
| USER_TOKEN=$(kubectl get secret --namespace "${NAMESPACE}" "${SECRET_NAME}" -o json | jq -r '.data["token"]' | base64 -d) | |
| printf "done" | |
| } | |
| set_kube_config_values() { | |
| context=$(kubectl config current-context) | |
| echo -e "\\nSetting current context to: $context" | |
| CLUSTER_NAME=$(kubectl config get-contexts "$context" | awk '{print $3}' | tail -n 1) | |
| echo "Cluster name: ${CLUSTER_NAME}" | |
| ENDPOINT=$(kubectl config view \ | |
| -o jsonpath="{.clusters[?(@.name == \"${CLUSTER_NAME}\")].cluster.server}") | |
| echo "Endpoint: ${ENDPOINT}" | |
| # Set up the config | |
| echo -e "\\nPreparing k8s-${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-conf" | |
| echo -n "Setting a cluster entry in kubeconfig..." | |
| kubectl config set-cluster "${CLUSTER_NAME}" \ | |
| --kubeconfig="${KUBECFG_FILE_NAME}" \ | |
| --server="${ENDPOINT}" \ | |
| --certificate-authority="${TARGET_FOLDER}/ca.crt" \ | |
| --embed-certs=true | |
| echo -n "Setting token credentials entry in kubeconfig..." | |
| kubectl config set-credentials \ | |
| "${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}" \ | |
| --kubeconfig="${KUBECFG_FILE_NAME}" \ | |
| --token="${USER_TOKEN}" | |
| echo -n "Setting a context entry in kubeconfig..." | |
| kubectl config set-context \ | |
| "${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}" \ | |
| --kubeconfig="${KUBECFG_FILE_NAME}" \ | |
| --cluster="${CLUSTER_NAME}" \ | |
| --user="${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}" \ | |
| --namespace="${NAMESPACE}" | |
| echo -n "Setting the current-context in the kubeconfig file..." | |
| kubectl config use-context "${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}" \ | |
| --kubeconfig="${KUBECFG_FILE_NAME}" | |
| } | |
| create_target_folder | |
| create_service_account | |
| create_rbac_role | |
| get_secret_name_from_service_account | |
| extract_ca_crt_from_secret | |
| get_user_token_from_secret | |
| set_kube_config_values | |
| echo -e "\\nAll done! Test with:" | |
| echo "KUBECONFIG=${KUBECFG_FILE_NAME} kubectl get pods" | |
| KUBECONFIG=${KUBECFG_FILE_NAME} kubectl get pods |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kind: Role | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: user-role | |
| rules: | |
| - apiGroups: ["extensions", "apps"] | |
| resources: ["deployments"] | |
| verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] | |
| - apiGroups: [""] | |
| resources: ["pods"] | |
| verbs: ["get", "list", "watch"] | |
| - apiGroups: [""] | |
| resources: ["services"] | |
| verbs: ["create", "get", "list", "patch", "update", "delete"] | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: RoleBinding | |
| metadata: | |
| name: user-rolebinding | |
| subjects: | |
| - kind: ServiceAccount | |
| name: user-sa | |
| roleRef: | |
| kind: Role | |
| name: user-role | |
| apiGroup: rbac.authorization.k8s.io |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment