Script Usage instruction.
chmod +x sa-kubeconfig-gen.sh
./sa-kubeconfig-gen.sh user-sa staging rbac-user-role.yaml
#!/bin/bash | |
set -e | |
set -o pipefail | |
# Add user to k8s using service account, RBAC role file needed | |
if [[ -z "$1" ]] || [[ -z "$2" ]] || [[ -z "$3" ]]; then | |
echo "usage: $0 <service_account_name> <namespace> [rbac-role-yaml]" | |
exit 1 | |
fi | |
SERVICE_ACCOUNT_NAME=$1 | |
NAMESPACE="$2" | |
RBAC_ROLE_YAML=$3 | |
KUBECFG_FILE_NAME="./kube/k8s-${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-conf" | |
TARGET_FOLDER="./kube" | |
create_target_folder() { | |
echo -n "Creating target directory to hold files in ${TARGET_FOLDER}..." | |
mkdir -p "${TARGET_FOLDER}" | |
printf "done" | |
} | |
create_service_account() { | |
echo -e "\\nCreating a service account in ${NAMESPACE} namespace: ${SERVICE_ACCOUNT_NAME}" | |
kubectl create sa "${SERVICE_ACCOUNT_NAME}" --namespace "${NAMESPACE}" | |
} | |
create_rbac_role() { | |
echo -e "\\nCreating a rbac role in ${NAMESPACE} namespace: ${RBAC_ROLE_YAML}" | |
kubectl create -f $RBAC_ROLE_YAML --namespace "${NAMESPACE}" | |
} | |
get_secret_name_from_service_account() { | |
echo -e "\\nGetting secret of service account ${SERVICE_ACCOUNT_NAME} on ${NAMESPACE}" | |
SECRET_NAME=$(kubectl get sa "${SERVICE_ACCOUNT_NAME}" --namespace="${NAMESPACE}" -o json | jq -r .secrets[].name) | |
echo "Secret name: ${SECRET_NAME}" | |
} | |
extract_ca_crt_from_secret() { | |
echo -e -n "\\nExtracting ca.crt from secret..." | |
kubectl get secret --namespace "${NAMESPACE}" "${SECRET_NAME}" -o json | jq \ | |
-r '.data["ca.crt"]' | base64 -d > "${TARGET_FOLDER}/ca.crt" | |
printf "done" | |
} | |
get_user_token_from_secret() { | |
echo -e -n "\\nGetting user token from secret..." | |
USER_TOKEN=$(kubectl get secret --namespace "${NAMESPACE}" "${SECRET_NAME}" -o json | jq -r '.data["token"]' | base64 -d) | |
printf "done" | |
} | |
set_kube_config_values() { | |
context=$(kubectl config current-context) | |
echo -e "\\nSetting current context to: $context" | |
CLUSTER_NAME=$(kubectl config get-contexts "$context" | awk '{print $3}' | tail -n 1) | |
echo "Cluster name: ${CLUSTER_NAME}" | |
ENDPOINT=$(kubectl config view \ | |
-o jsonpath="{.clusters[?(@.name == \"${CLUSTER_NAME}\")].cluster.server}") | |
echo "Endpoint: ${ENDPOINT}" | |
# Set up the config | |
echo -e "\\nPreparing k8s-${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-conf" | |
echo -n "Setting a cluster entry in kubeconfig..." | |
kubectl config set-cluster "${CLUSTER_NAME}" \ | |
--kubeconfig="${KUBECFG_FILE_NAME}" \ | |
--server="${ENDPOINT}" \ | |
--certificate-authority="${TARGET_FOLDER}/ca.crt" \ | |
--embed-certs=true | |
echo -n "Setting token credentials entry in kubeconfig..." | |
kubectl config set-credentials \ | |
"${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}" \ | |
--kubeconfig="${KUBECFG_FILE_NAME}" \ | |
--token="${USER_TOKEN}" | |
echo -n "Setting a context entry in kubeconfig..." | |
kubectl config set-context \ | |
"${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}" \ | |
--kubeconfig="${KUBECFG_FILE_NAME}" \ | |
--cluster="${CLUSTER_NAME}" \ | |
--user="${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}" \ | |
--namespace="${NAMESPACE}" | |
echo -n "Setting the current-context in the kubeconfig file..." | |
kubectl config use-context "${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}" \ | |
--kubeconfig="${KUBECFG_FILE_NAME}" | |
} | |
create_target_folder | |
create_service_account | |
create_rbac_role | |
get_secret_name_from_service_account | |
extract_ca_crt_from_secret | |
get_user_token_from_secret | |
set_kube_config_values | |
echo -e "\\nAll done! Test with:" | |
echo "KUBECONFIG=${KUBECFG_FILE_NAME} kubectl get pods" | |
KUBECONFIG=${KUBECFG_FILE_NAME} kubectl get pods |
kind: Role | |
apiVersion: rbac.authorization.k8s.io/v1 | |
metadata: | |
name: user-role | |
rules: | |
- apiGroups: ["extensions", "apps"] | |
resources: ["deployments"] | |
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] | |
- apiGroups: [""] | |
resources: ["pods"] | |
verbs: ["get", "list", "watch"] | |
- apiGroups: [""] | |
resources: ["services"] | |
verbs: ["create", "get", "list", "patch", "update", "delete"] | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: RoleBinding | |
metadata: | |
name: user-rolebinding | |
subjects: | |
- kind: ServiceAccount | |
name: user-sa | |
roleRef: | |
kind: Role | |
name: user-role | |
apiGroup: rbac.authorization.k8s.io |
Script Usage instruction.
chmod +x sa-kubeconfig-gen.sh
./sa-kubeconfig-gen.sh user-sa staging rbac-user-role.yaml