Beginner
- Developers
- Tutorials
- Create a Kyma service account
Create a Kyma service account
-
Join the conversation on Facebook -
Join the conversation on Twitter -
Subscribe to the YouTube Channel -
Join the conversation on LinkedIn -
View our projects on GitHub -
Share via email
Create a Kyma service account
Learn how to create a Kubernetes service account that you can leverage to interact with your Kyma cluster.
You will learn
- What Kubernetes service accounts are used for
- How to create a new service account
- How to replace the
kubeconfig
Step 1: Create a namespace
The kubeconfig file that you are currently using is based on your User Account, which represents a user that has been logged in the Kyma dashboard when you downloaded the kubeconfig. This file contains a token that expires after 8 hours.
This tutorial will show you how to create a new kubeconfig file based on a service account. In contrast to the kubeconfig file from the Kyma dashboard, this token won’t expire every 8 hours and are therefore well-suited for scenarios like CI/CD pipelines. Please note that this could be a potential security issue.
Service accounts are bound to a namespace, so we need to create a new namespace before any service account can be created. Run the following command the create a new namespace “tutorial”:
kubectl create namespace tutorial
Done
Log on to answer question
Step 2: Create a service account
A service account alone won’t do the job. You also need to define a role that contains all the desired permissions and assign it to a service account with a role binding. You need to create all three artifacts to use a service account via kubectl.
-
Create a new file called
tutorial-sa.yamlwith the following payload to create all artifacts (service account, role, role binding, and aConfigMapfor verification).apiVersion: v1 kind: ServiceAccount metadata: name: tutorial-service-account --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tutorial-role rules: - apiGroups: - "" - extensions - batch - apps - gateway.kyma-project.io - servicecatalog.k8s.io resources: - deployments - replicasets - pods - jobs - configmaps - apirules - serviceinstances - servicebindings - services - secrets verbs: - create - update - patch - delete - get - list --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tutorial-role-binding subjects: - kind: ServiceAccount name: tutorial-service-account roleRef: kind: Role name: tutorial-role apiGroup: rbac.authorization.k8s.io --- apiVersion: v1 kind: ConfigMap metadata: name: tutorial-config-map data: out: "Congrats, you completed the tutorial successfully!"Note that the
rulessection specified the permissions of the service account. Modify this section to adjust the role to your needs. -
Create a service account based on the file.
kubectl apply -f tutorial-sa.yaml -n tutorial
Done
Log on to answer question
Step 3: Understand the structure of the configuration file
The kubeconfig file that we want to create must look similar to this:
apiVersion: v1
kind: Config
preferences: {}
clusters:
- cluster:
certificate-authority-data:
server: https://apiserver.<id>.kyma.shoot.live.k8s-hana.ondemand.com
name: <id>.kyma.shoot.live.k8s-hana.ondemand.com
users:
- name:
user:
token:
contexts:
- context:
cluster: <id>.kyma.shoot.live.k8s-hana.ondemand.com
user:
name: <id>.kyma.shoot.live.k8s-hana.ondemand.com
current-context: <id>.kyma.shoot.live.k8s-hana.ondemand.com
You can see that this file is moderately easy to read. The configuration file defines clusters (the location of the system), users (with authentication tokens), and contexts (to map users to clusters).
Go to the next step to learn how to fill this template with the proper values.
Done
Log on to answer question
Step 4: Create a new kubeconfig
Now that you understand how the kubeconfig file is structured, create a new one that leverages your just created service account.
-
Create a temporary file
temp.ps1that will fetch all required information and create thekubeconfigfile.$API_SERVER_URL = kubectl config current-context $SECRET_NAME = kubectl get sa -n tutorial tutorial-service-account -ojsonpath='{.secrets[0].name}' $CA = kubectl get secret/$SECRET_NAME -n tutorial -o jsonpath='{.data.ca\.crt}' $TOKEN = kubectl get secret/$SECRET_NAME -n tutorial -o jsonpath='{.data.token}' $DEC_TOKEN = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($TOKEN)) Add-Content -Path kubeconfig.yaml @" apiVersion: v1 kind: Config clusters: - name: default-cluster cluster: certificate-authority-data: $CA server: https://api.$API_SERVER_URL users: - name: default-user user: token: $DEC_TOKEN contexts: - name: default-context context: cluster: default-cluster namespace: default user: default-user current-context: default-context "@ Write-Host "Finished" -
Run the following commands in PowerShell to replace the current
kubeconfigfile:You can use
Set-ExecutionPolicy Unrestrictedto change the execution policy if needed..\temp.ps1 cp .\kubeconfig.yaml ~/.kube/configThe default location for
kubeconfigmight vary depending on yourkubectlinstallation.
-
Create a temporary file
temp.shthat will fetch all required information and print the content of thekubeconfigfile.# API server URL is api.KYMA_CLUSTER_DOMAIN API_SERVER_URL=$(kubectl config current-context) # the name of the secret containing the service account token goes here SECRET_NAME=$(kubectl get sa -n tutorial tutorial-service-account -ojsonpath='{.secrets[0].name}') CA=$(kubectl get secret/${SECRET_NAME} -n tutorial -o jsonpath='{.data.ca\.crt}') TOKEN=$(kubectl get secret/${SECRET_NAME} -n tutorial -o jsonpath='{.data.token}' | base64 --decode) echo " apiVersion: v1 kind: Config clusters: - name: default-cluster cluster: certificate-authority-data: ${CA} server: https://api.${API_SERVER_URL} users: - name: default-user user: token: ${TOKEN} contexts: - name: default-context context: cluster: default-cluster namespace: default user: default-user current-context: default-context " -
Run the following commands to replace the current
kubeconfigfile:chmod +x temp.sh ./temp.sh > tutorial-kubeconfig.yaml cp tutorial-kubeconfig.yaml ~/.kube/configAlternatively, you can write the content to a new file and export the path to this file
export KUBECONFIG=./tutorial-kubeconfig.yaml.The default location for
kubeconfigmight vary depending on yourkubectlinstallation.
Done
Log on to answer question
Step 5: Read the config map
Besides the service account, you also created ConfigMap in step 2. Let’s try to read a value from this map to check if the new kubeconfig is working:
kubectl get configmap -n tutorial tutorial-config-map -o jsonpath='{.data.out}'
×