Create a Kyma service account
- What Kubernetes service accounts are used for
- How to create a new service account
- How to replace the
kubeconfig
Thomas JungJanuary 14, 2025
Marius Obert- Step 1
The
kubeconfigfile that you are currently using is based on your User Account, which represents a user that has been logged in the Kyma dashboard when you downloaded thekubeconfig.This tutorial will show you how to create a new
kubeconfigfile based on a service account. In contrast to thekubeconfigfile from the Kyma dashboard, this token is not based on a user and is well-suited for scenarios like CI/CD pipelines. Please note that this could be a potential security issue.Service accounts are bound to a namespace, so we need to create a new namespace before any service account can be created. Run the following command the create a new namespace “tutorial”:
BashCopykubectl create namespace tutorial - Step 2
A service account alone won’t do the job. You also need to define a Kubernetes
RoleorClusterRolethat contains all the desired permissions, which will be assigned to the service account using aRoleBindingor aClusterRoleBinding. In this example aClusterRolewill be created which provides cluster wide access. A Role would be used if access to only a single namespace is desired. Additionally, a secret will need to be created which can be generated to either contain a short or long-lived token. In this example a long-lived token will be created. You need to create all four artifacts to use a service account.-
Create a new file called
tutorial-sa.yamlwith the following payload to create all artifacts (service account, secret, role, role binding, and aConfigMapfor verification).YAMLCopyapiVersion: v1 kind: ServiceAccount metadata: name: tutorial-service-account --- apiVersion: v1 kind: Secret metadata: name: tutorial-service-account annotations: kubernetes.io/service-account.name: tutorial-service-account type: kubernetes.io/service-account-token --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tutorial-role rules: - apiGroups: - "" - extensions - batch - apps - gateway.kyma-project.io - servicecatalog.k8s.io resources: - deployments - replicasets - pods - jobs - configmaps - apirules - serviceinstances - servicebindings - services - secrets verbs: - create - update - patch - delete - get - list --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tutorial-role-binding subjects: - kind: ServiceAccount name: tutorial-service-account namespace: tutorial roleRef: kind: ClusterRole name: tutorial-role apiGroup: rbac.authorization.k8s.io --- apiVersion: v1 kind: ConfigMap metadata: name: tutorial-config-map data: out: "Congrats, you completed the tutorial successfully!"Note that the
rulessection specified the permissions of the service account. Modify this section to adjust the role to your needs. -
Create a service account based on the file.
BashCopykubectl apply -f tutorial-sa.yaml -n tutorial
-
- Step 3
The
kubeconfigfile that we want to create must look similar to this:YAMLCopyapiVersion: v1 kind: Config preferences: {} clusters: - cluster: certificate-authority-data: server: https://apiserver.<id>.kyma.ondemand.com name: <id>.kyma.ondemand.com users: - name: user: token: contexts: - context: cluster: <id>.kyma.ondemand.com user: name: <id>.kyma.ondemand.com current-context: <id>.kyma.ondemand.comYou can see that this file is moderately easy to read. The configuration file defines clusters (the location of the system), users (with authentication tokens), and contexts (to map users to clusters).
Go to the next step to learn how to fill this template with the proper values.
- Step 4
Now that you understand how the
kubeconfigfile is structured, create a new one that leverages your just created service account. - Step 5
Besides the service account, you also created
ConfigMapin step 2. Let’s try to read a value from this map to check if the newkubeconfigis working:ShellCopykubectl get configmap -n tutorial tutorial-config-map -o jsonpath='{.data.out}'What output do you see?