Create a Kyma service account

The kubeconfig file that you are currently using is based on your User Account, which represents a user that has been logged in the Kyma dashboard when you downloaded the kubeconfig.

This tutorial will show you how to create a new kubeconfig file based on a service account. In contrast to the kubeconfig file from the Kyma dashboard, this token is not based on a user and is well-suited for scenarios like CI/CD pipelines. Please note that this could be a potential security issue.

Service accounts are bound to a namespace, so we need to create a new namespace before any service account can be created. Run the following command the create a new namespace “tutorial”:

kubectl create namespace tutorial

A service account alone won’t do the job. You also need to define a Kubernetes Role or ClusterRole that contains all the desired permissions, which will be assigned to the service account using a RoleBinding or a ClusterRoleBinding. In this example a ClusterRole will be created which provides cluster wide access. A Role would be used if access to only a single namespace is desired. You need to create all three artifacts to use a service account via kubectl.

1. Create a new file called tutorial-sa.yaml with the following payload to create all artifacts (service account, role, role binding, and a ConfigMap for verification).

   YAML

   Copy

   apiVersion: v1
   kind: ServiceAccount
   metadata:
     name: tutorial-service-account
   ---
   kind: ClusterRole
   apiVersion: rbac.authorization.k8s.io/v1
   metadata:
     name: tutorial-role
   rules:
     - apiGroups:
         - ""
         - extensions
         - batch
         - apps
         - gateway.kyma-project.io
         - servicecatalog.k8s.io
       resources:
         - deployments
         - replicasets
         - pods
         - jobs
         - configmaps
         - apirules
         - serviceinstances
         - servicebindings
         - services
         - secrets
       verbs:
         - create
         - update
         - patch
         - delete
         - get
         - list
   ---
   kind: ClusterRoleBinding
   apiVersion: rbac.authorization.k8s.io/v1
   metadata:
     name: tutorial-role-binding
   subjects:
     - kind: ServiceAccount
       name: tutorial-service-account
       namespace: tutorial
   roleRef:
     kind: ClusterRole
     name: tutorial-role
     apiGroup: rbac.authorization.k8s.io
   ---
   apiVersion: v1
   kind: ConfigMap
   metadata:
     name: tutorial-config-map
   data:
     out: "Congrats, you completed the tutorial successfully!"
   

   Note that the rules section specified the permissions of the service account. Modify this section to adjust the role to your needs.

2. Create a service account based on the file.

   Bash

   Copy

   kubectl apply -f tutorial-sa.yaml -n tutorial
   

The kubeconfig file that we want to create must look similar to this:

apiVersion: v1
kind: Config
preferences: {}
clusters:
- cluster:
    certificate-authority-data:
    server: https://apiserver.<id>.kyma.ondemand.com
  name: <id>.kyma.ondemand.com
users:
- name:
  user:
    token:  
contexts:
- context:
    cluster: <id>.kyma.ondemand.com
    user:
  name: <id>.kyma.ondemand.com
current-context: <id>.kyma.ondemand.com

You can see that this file is moderately easy to read. The configuration file defines clusters (the location of the system), users (with authentication tokens), and contexts (to map users to clusters).

Go to the next step to learn how to fill this template with the proper values.

Now that you understand how the kubeconfig file is structured, create a new one that leverages your just created service account.

Besides the service account, you also created ConfigMap in step 2. Let’s try to read a value from this map to check if the new kubeconfig is working:

kubectl get configmap -n tutorial tutorial-config-map -o jsonpath='{.data.out}'