Creating kubeconfig credentials¶
This tutorial explains how to create a kubeconfig file to authenticate to a Kubernetes cluster. It helps you to create a service account on Kubernetes and create a kubeconfig file that can be used by kubectl to interact with the cluster.
It assumes that you have working knowledge of Docker and Kubernetes and understand the following concepts:
- Creating clusters on clouds (AWS, GCP, etc.)
- kubeconfig files
- Configuring Service Accounts
Here are step by step instructions how to create a service account kubeconfig file. You will create an RBAC service account, Role, RoleBinding, and run a short script to generate a specific Kubernetes config file.
Prerequisites¶
Before you can complete this setup, you will need to ensure you have the following:
- An existing Razorops account
- An existing Kubernetes account with admin access to creating roles to which you want to connect with a service account
For questions or concerns reach out to us at [email protected].
The first step to add your Kubernetes cluster to Razorops is to create a ServiceAccount, (Cluster)Role, and (Cluster)RoleBinding. You should modify the RBAC rules based on the commands you'r running in pipeline.
Creating a serviceAccount¶
A serviceAccount has an associated authentication token, which is stored as a Kubernetes secret. Having created a serviceAccount, you bind it to a (cluster)rolebinding that has administration permissions. You can then add the service account (and its serviceAccount authentication token) as a user definition in the kubeconfig file itself. Other tools can then use the service account authentication token when accessing the cluster.
Make sure you can access the cluster¶
First, make sure you can authenticate yourself to the cluster. This means you have a kubeconfig file that uses your personal account. You can verify this by running this command on your local machine and you should see the file listed
ls -al $HOME/.kube
Download the following files -¶
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: ci
rules:
- apiGroups: ["apps", "batch"]
resources: ["deployments", "cronjobs"]
verbs: ["get", "list", "watch", "update", "patch"]
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: ci
roleRef:
kind: Role
apiGroup: rbac.authorization.k8s.io
name: ci
subjects:
- kind: ServiceAccount
name: ci
apiVersion: v1
kind: ServiceAccount
metadata:
name: ci
Apply to the cluster¶
From the directory where you’ve placed these three files, run the following commands to apply the YAML files -
kubectl apply -f role.yaml
kubectl apply -f role_binding.yaml
kubectl apply -f service_account.yaml
We describe three methods to generate kubeconfig - krew plugin, script and manual.
Generate via Krew plugin¶
If you are comfortable using krew plugins, it has the easiest way to generate credentials linked to a serviceaccount. Please install view-serviceaccount-kubeconfig plugin and run the following command to generate the credentials.
Note
The following commands asssume that you've access to the cluster and connected to it.
$ kubectl krew install view-serviceaccount-kubeconfig
# for serviceAccount: ci in current namespace
$ kubectl view-serviceaccount-kubeconfig ci
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: ...
...
You can just copy-and-paste the credentials while adding a cluster in Razorops dashboard.
Generate via Bash script¶
Please make sure you create a new serviceAccount for CI integration or use an existing one.
Creating the Kubernetes Config File¶
The next step is to generate a custom Kubernetes config file. You will need to get the following information from the cluster:
- cluster name
- cluster server
- CA Cert Data
- Namespace
- Token
We recommend using the this script to obtain the information. Download the script, save it with create-kube-config-sa.sh, and run it using the following command:
sh create-kube-config-sa.sh ci
This command will print a Kubernetes config file to STDOUT. This file can be used to add a Kubernetes cloud account to Razorops.
Generate manually¶
This will use your personal account to create the service account. Make sure your personal account has permissions to do this.
Fetch the name of the secrets used by the service account
This can be found by running the following command:
kubectl describe serviceaccounts ci
output
Name: ci
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: ci-token-h6pdj
Tokens: ci-token-h6pdj
Note down the Mountable secrets information which has the name of the secret that holds the token
Fetch the token and certificate from the secret
Using the Mountable secrets value, you can get the token used by the service account. Run the following command to extract this information:
kubectl describe secrets ci-token-h6pdj
output
apiVersion: v1
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJWekNCL3FBREFnRUNBZ0VBTUFvR0NDcUdTTTQ5QkFNQ01DTXhJVEFmQmdOVkJBTU1HR3N6Y3kxelpYSjIKWlhJdFkyRkFNVFl3TVRJNU1ESXdOekFlRncweU1EQTVNamd4TURVd01EZGFGdzB6TURBNU1qWXhNRFV3TURkYQpNQ014SVRBZkJnTlZCQU1NR0dzemN5MXpaWEoyWlhJdFkyRkFNVFl3TVRJNU1ESXdOekJaTUJNR0J5cUdTTTQ5CkFnRUdDQ3FHU000OUF3RUhBMElBQktPay9oZnViYmlLWVMyWGg2NUVHRVNyTDZoQ1prK3Nkbkhla2dVRy9KaEYKK2pQYzhKRytmRTBZVHo4ZmdUeGdHR1VSaU44M2hYUWtET0xoTzJEVXJEK2pJekFoTUE0R0ExVWREd0VCL3dRRQpBd0lDcERBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSVFDek5GWWo5UjBCCkE3ejBGdklPU0laWGdpZU13UXZtUDhkWm1ZTjN5S0JOcUFJZ0lRVUdBN28vaE55eTZsV2k4Y2d5UGJzVXg4SjYKNlh1aVlSYjlONVNLSTA0PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
namespace: ZmFsbGluZy1kdXN0LTYyNDc=
token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklqUlVkWGhNYTBSR1UzbFlUVU00VVVOb2VtZG1lRUo2VVV4bGRsUXRhR3gxWmpsV1ZtdGpjVkkxYjNNaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUptWVd4c2FXNW5MV1IxYzNRdE5qSTBOeUlzSW10MVltVnlibVYwWlhNdWFXOHZjMlZ5ZG1salpXRmpZMjkxYm5RdmMyVmpjbVYwTG01aGJXVWlPaUprWldaaGRXeDBMWFJ2YTJWdUxXcG9kMjVrSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXpaWEoyYVdObExXRmpZMjkxYm5RdWJtRnRaU0k2SW1SbFptRjFiSFFpTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxjblpwWTJVdFlXTmpiM1Z1ZEM1MWFXUWlPaUpsWVdFNE5UbGhaQzFpT0RNMExUUTFPREl0T1RBNE1TMDBOMk5qTTJOaU1EazNaVFFpTENKemRXSWlPaUp6ZVhOMFpXMDZjMlZ5ZG1salpXRmpZMjkxYm5RNlptRnNiR2x1Wnkxa2RYTjBMVFl5TkRjNlpHVm1ZWFZzZENKOS5tR3FqTi0wWkJXeFNWaEIydlFHcDVNa244X01vb0FYX1ZyN25ycGtlVEFFajF0ZEx4aFMyekpCUWE5ZzBlSjlYREpxa3Z6NGVwLWN1ckVvb2QzZTI3eG5oSXJlRF90WEJMa3kzczczcFo1YVFGNDdOQ0xQMmVzNm95dERnVzlpRDc1ZEJyNFVVMU80UXpOcThEeFNyT09yVlVnWkpRUHVhS3VIUlBUVnRjUWM0TDd4QmlvWEdrNS1SY3lib3VMd0dUQklPa1lXYXpJMm5KSXhma1Q0clpkSkRuVVAzaXNDbVRVQTNEZWtpcHQycXNWbHZYTWNIcmp4UGc3YkdtRjUxWHJBam55MHZhNUM1NXNtR29qLUJuang5eXdkRlF5a01NS0hSOUZIRklTZkJIR0hMVVdVTDZnTUlfdk8xNFBKSkdyRUJ2OFhTZnE4TDQ4eERRdVlhRGc=
kind: Secret
metadata:
annotations:
kubernetes.io/service-account.name: ci
kubernetes.io/service-account.uid: eaa859ad-b834-4582-9081-47cc3cb097e4
creationTimestamp: "2020-09-29T09:32:21Z"
name: ci-token-jhwnd
namespace: default
resourceVersion: "1796"
selfLink: /api/v1/namespaces/default/secrets/ci-jhwnd
uid: 147012f9-711d-4657-acfb-f9f030a7cd81
type: kubernetes.io/service-account-token
This will output the token information that looks something like above. Note down the token value and ca.crt value.
Get the server info for the cluster¶
Every cluster has a certificate that clients can use to encryt traffic. Fetch the certificate and write to a file by running this command. In this case, we are using a file name cluster-cert.txt
kubectl config view --flatten --minify > cluster-cert.txt`
cat cluster-cert.txt
output
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://localhost:6443
name: test
contexts:
- context:
cluster: test
namespace: default
user: test
name: test
current-context: test
kind: Config
preferences: {}
users:
- name: admin
user:
password: DATA+OMITTED
username: DATA+OMITTED
Create a kubeconfig file¶
From the steps above, you should have the following pieces of information
- token
- ca.crt
- server
Create a file called sa-config and paste this content on to it
apiVersion: v1
kind: Config
users:
- name: ci
user:
token: <replace this with token info>
clusters:
- cluster:
certificate-authority-data: <replace this with ca.crt info>
server: <replace this with server info>
name: ci
contexts:
- context:
cluster: ci
user: ci
name: ci
current-context: ci
Replace the placeholder above with the information gathered so far
- replace the token
- replace the ca.crt
- replace the server
Copy the file to $HOME/.kube
If you want your client to use this context, copy sa-config to $HOME/.kube and you can configure kubectl to use the context
kubectl config --kubeconfig=$HOME/.kube/sa-config set-context ci