Skip to Content

Create a Kyma service account

Learn how to create a Kubernetes service account that you can leverage to interact with your Kyma cluster.
You will learn
  • What Kubernetes service accounts are used for
  • How to create a new service account
  • How to replace the kubeconfig
IObertMarius ObertMarch 8, 2022
Created by
IObert
January 14, 2021
Contributors
IObert
  • Step 1

    The kubeconfig file that you are currently using is based on your User Account, which represents a user that has been logged in the Kyma dashboard when you downloaded the kubeconfig.

    This tutorial will show you how to create a new kubeconfig file based on a service account. In contrast to the kubeconfig file from the Kyma dashboard, this token is not based on a user and is well-suited for scenarios like CI/CD pipelines. Please note that this could be a potential security issue.

    Service accounts are bound to a namespace, so we need to create a new namespace before any service account can be created. Run the following command the create a new namespace “tutorial”:

    Bash
    Copy
    kubectl create namespace tutorial
    
  • Step 2

    A service account alone won’t do the job. You also need to define a Kubernetes Role or ClusterRole that contains all the desired permissions, which will be assigned to the service account using a RoleBinding or a ClusterRoleBinding. In this example a ClusterRole will be created which provides cluster wide access. A Role would be used if access to only a single namespace is desired. You need to create all three artifacts to use a service account via kubectl.

    1. Create a new file called tutorial-sa.yaml with the following payload to create all artifacts (service account, role, role binding, and a ConfigMap for verification).

      YAML
      Copy
      apiVersion: v1
      kind: ServiceAccount
      metadata:
        name: tutorial-service-account
      ---
      kind: ClusterRole
      apiVersion: rbac.authorization.k8s.io/v1
      metadata:
        name: tutorial-role
      rules:
        - apiGroups:
            - ""
            - extensions
            - batch
            - apps
            - gateway.kyma-project.io
            - servicecatalog.k8s.io
          resources:
            - deployments
            - replicasets
            - pods
            - jobs
            - configmaps
            - apirules
            - serviceinstances
            - servicebindings
            - services
            - secrets
          verbs:
            - create
            - update
            - patch
            - delete
            - get
            - list
      ---
      kind: ClusterRoleBinding
      apiVersion: rbac.authorization.k8s.io/v1
      metadata:
        name: tutorial-role-binding
      subjects:
        - kind: ServiceAccount
          name: tutorial-service-account
          namespace: tutorial
      roleRef:
        kind: ClusterRole
        name: tutorial-role
        apiGroup: rbac.authorization.k8s.io
      ---
      apiVersion: v1
      kind: ConfigMap
      metadata:
        name: tutorial-config-map
      data:
        out: "Congrats, you completed the tutorial successfully!"
      

      Note that the rules section specified the permissions of the service account. Modify this section to adjust the role to your needs.

    2. Create a service account based on the file.

      Bash
      Copy
      kubectl apply -f tutorial-sa.yaml -n tutorial
      
  • Step 3

    The kubeconfig file that we want to create must look similar to this:

    YAML
    Copy
    apiVersion: v1
    kind: Config
    preferences: {}
    clusters:
    - cluster:
        certificate-authority-data:
        server: https://apiserver.<id>.kyma.ondemand.com
      name: <id>.kyma.ondemand.com
    users:
    - name:
      user:
        token:  
    contexts:
    - context:
        cluster: <id>.kyma.ondemand.com
        user:
      name: <id>.kyma.ondemand.com
    current-context: <id>.kyma.ondemand.com
    

    You can see that this file is moderately easy to read. The configuration file defines clusters (the location of the system), users (with authentication tokens), and contexts (to map users to clusters).

    Go to the next step to learn how to fill this template with the proper values.

  • Step 4

    Now that you understand how the kubeconfig file is structured, create a new one that leverages your just created service account.

    1. Create a temporary file temp.ps1 that will fetch all required information and create the kubeconfig file.

      PowerShell
      Copy
      $ns = "tutorial"
      $API_SERVER_URL = kubectl config view -o=jsonpath='{.clusters[].cluster.server}'
      
      $SECRET_NAME = kubectl get sa -n $ns $id-tutorial-service-account -o jsonpath='{.secrets[0].name}'
      
      $CA = kubectl get secret/$SECRET_NAME -n $ns -o jsonpath='{.data.ca\.crt}'
      
      $TOKEN = kubectl get secret/$SECRET_NAME -n $ns -o jsonpath='{.data.token}'
      $DEC_TOKEN = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($TOKEN))
      
      Add-Content -Path templates/kubeconfig.yaml @"
      apiVersion: v1
      kind: Config
      clusters:
      - name: default-cluster
        cluster:
          certificate-authority-data: $CA
          server: $API_SERVER_URL
      users:
      - name: default-user
        user:
          token: $DEC_TOKEN
      contexts:
      - name: default-context
        context:
          cluster: default-cluster
          namespace: $ns
          user: default-user
      current-context: default-context
      "@
      
      
      Write-Host "Finished"
      
    2. Run the following commands in PowerShell to replace the current kubeconfig file:

      You can use Set-ExecutionPolicy Unrestricted to change the execution policy if needed.

      PowerShell
      Copy
       .\temp.ps1  
       cp .\kubeconfig.yaml  ~/.kube/config
      

      The default location for kubeconfig might vary depending on your kubectl installation.

  • Step 5

    Besides the service account, you also created ConfigMap in step 2. Let’s try to read a value from this map to check if the new kubeconfig is working:

    Shell
    Copy
    kubectl get configmap -n tutorial tutorial-config-map -o jsonpath='{.data.out}'
    

    What output do you see?

Back to top