Skip to content

Creating kubeconfig credentials

This tutorial explains how to create a kubeconfig file to authenticate to a Kubernetes cluster. It helps you to create a service account on Kubernetes and create a kubeconfig file that can be used by kubectl to interact with the cluster.

It assumes that you have working knowledge of Docker and Kubernetes and understand the following concepts:

Here are step by step instructions how to create a service account kubeconfig file. You will create an RBAC service account, Role, RoleBinding, and run a short script to generate a specific Kubernetes config file.

Prerequisites

Before you can complete this setup, you will need to ensure you have the following:

  • An existing Razorops account
  • An existing Kubernetes account with admin access to creating roles to which you want to connect with a service account

For questions or concerns reach out to us at [email protected]

We describe two methods to generate kubeconfig - script and manual.

Generate via Bash script

Creating the RBAC Service Account

The first step to add your Kubernetes cluster to Razorops is to create a ServiceAccount, (Cluster)Role, and (Cluster)RoleBinding. You should modify the RBAC rules based on the commands you'r running in pipeline. Refer to the following steps:

Download the following files -

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: ci
rules:
- apiGroups: ["apps", "batch"]
  resources:  ["deployments", "cronjobs"]
  verbs: ["get", "list", "watch", "update", "patch"]
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: ci
roleRef:
  kind: Role
  apiGroup: rbac.authorization.k8s.io
  name: ci
subjects:
- kind: ServiceAccount
  name: ci
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ci

Apply to the cluster

From the directory where you’ve placed these three files, run the following commands to apply the YAML files -

kubectl apply -f role.yaml
kubectl apply -f role_binding.yaml
kubectl apply -f service_account.yaml

Creating the Kubernetes Config File

The next step is to generate a custom Kubernetes config file. You will need to get the following information from the cluster:

  • cluster name
  • cluster server
  • CA Cert Data
  • Namespace
  • Token

We recommend using the this script to obtain the information. Download the script, save it with create-kube-config-sa.sh, and run it using the following command:

sh create-kube-config-sa.sh ci

This command will print a Kubernetes config file to STDOUT. This file can be used to add a Kubernetes cloud account to Razorops.

Generate manually

Make sure you can access the cluster

First, make sure you can authenticate yourself to the cluster. This means you have a kubeconfig file that uses your personal account. You can verify this by running this command on your local machine and you should see the file listed

ls -al $HOME/.kube

Create a serviceaccount

To create a service account on Kubernetes, you can leverage kubectl and a service account spec. Create a YML file name sa.yml that looks like the one below:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: ci # any name you'd like

Create a serviceaccount

You can create a service account by running the following command:

kubectl create -f sa.yaml

This will use your personal account to create the service account. Make sure your personal account has permissions to do this.

Fetch the name of the secrets used by the service account

This can be found by running the following command:

kubectl describe serviceaccounts ci

output

Name:               ci
Namespace:          default
Labels:             <none>
Annotations:        <none>

Image pull secrets: <none>
Mountable secrets:  ci-token-h6pdj
Tokens:             ci-token-h6pdj

Note down the Mountable secrets information which has the name of the secret that holds the token

Fetch the token and certificate from the secret

Using the Mountable secrets value, you can get the token used by the service account. Run the following command to extract this information:

kubectl describe secrets ci-token-h6pdj

output

apiVersion: v1
data:
  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJWekNCL3FBREFnRUNBZ0VBTUFvR0NDcUdTTTQ5QkFNQ01DTXhJVEFmQmdOVkJBTU1HR3N6Y3kxelpYSjIKWlhJdFkyRkFNVFl3TVRJNU1ESXdOekFlRncweU1EQTVNamd4TURVd01EZGFGdzB6TURBNU1qWXhNRFV3TURkYQpNQ014SVRBZkJnTlZCQU1NR0dzemN5MXpaWEoyWlhJdFkyRkFNVFl3TVRJNU1ESXdOekJaTUJNR0J5cUdTTTQ5CkFnRUdDQ3FHU000OUF3RUhBMElBQktPay9oZnViYmlLWVMyWGg2NUVHRVNyTDZoQ1prK3Nkbkhla2dVRy9KaEYKK2pQYzhKRytmRTBZVHo4ZmdUeGdHR1VSaU44M2hYUWtET0xoTzJEVXJEK2pJekFoTUE0R0ExVWREd0VCL3dRRQpBd0lDcERBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSVFDek5GWWo5UjBCCkE3ejBGdklPU0laWGdpZU13UXZtUDhkWm1ZTjN5S0JOcUFJZ0lRVUdBN28vaE55eTZsV2k4Y2d5UGJzVXg4SjYKNlh1aVlSYjlONVNLSTA0PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
  namespace: ZmFsbGluZy1kdXN0LTYyNDc=
  token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklqUlVkWGhNYTBSR1UzbFlUVU00VVVOb2VtZG1lRUo2VVV4bGRsUXRhR3gxWmpsV1ZtdGpjVkkxYjNNaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUptWVd4c2FXNW5MV1IxYzNRdE5qSTBOeUlzSW10MVltVnlibVYwWlhNdWFXOHZjMlZ5ZG1salpXRmpZMjkxYm5RdmMyVmpjbVYwTG01aGJXVWlPaUprWldaaGRXeDBMWFJ2YTJWdUxXcG9kMjVrSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXpaWEoyYVdObExXRmpZMjkxYm5RdWJtRnRaU0k2SW1SbFptRjFiSFFpTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxjblpwWTJVdFlXTmpiM1Z1ZEM1MWFXUWlPaUpsWVdFNE5UbGhaQzFpT0RNMExUUTFPREl0T1RBNE1TMDBOMk5qTTJOaU1EazNaVFFpTENKemRXSWlPaUp6ZVhOMFpXMDZjMlZ5ZG1salpXRmpZMjkxYm5RNlptRnNiR2x1Wnkxa2RYTjBMVFl5TkRjNlpHVm1ZWFZzZENKOS5tR3FqTi0wWkJXeFNWaEIydlFHcDVNa244X01vb0FYX1ZyN25ycGtlVEFFajF0ZEx4aFMyekpCUWE5ZzBlSjlYREpxa3Z6NGVwLWN1ckVvb2QzZTI3eG5oSXJlRF90WEJMa3kzczczcFo1YVFGNDdOQ0xQMmVzNm95dERnVzlpRDc1ZEJyNFVVMU80UXpOcThEeFNyT09yVlVnWkpRUHVhS3VIUlBUVnRjUWM0TDd4QmlvWEdrNS1SY3lib3VMd0dUQklPa1lXYXpJMm5KSXhma1Q0clpkSkRuVVAzaXNDbVRVQTNEZWtpcHQycXNWbHZYTWNIcmp4UGc3YkdtRjUxWHJBam55MHZhNUM1NXNtR29qLUJuang5eXdkRlF5a01NS0hSOUZIRklTZkJIR0hMVVdVTDZnTUlfdk8xNFBKSkdyRUJ2OFhTZnE4TDQ4eERRdVlhRGc=
kind: Secret
metadata:
  annotations:
    kubernetes.io/service-account.name: ci
    kubernetes.io/service-account.uid: eaa859ad-b834-4582-9081-47cc3cb097e4
  creationTimestamp: "2020-09-29T09:32:21Z"
  name: ci-token-jhwnd
  namespace: default
  resourceVersion: "1796"
  selfLink: /api/v1/namespaces/default/secrets/ci-jhwnd
  uid: 147012f9-711d-4657-acfb-f9f030a7cd81
type: kubernetes.io/service-account-token

This will output the token information that looks something like above. Note down the token value and ca.crt value.

Get the server info for the cluster

Every cluster has a certificate that clients can use to encryt traffic. Fetch the certificate and write to a file by running this command. In this case, we are using a file name cluster-cert.txt

kubectl config view --flatten --minify > cluster-cert.txt`
cat cluster-cert.txt

output

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://localhost:6443
  name: test
contexts:
- context:
    cluster: test
    namespace: default
    user: test
  name: test
current-context: test
kind: Config
preferences: {}
users:
- name: admin
  user:
    password: DATA+OMITTED
    username: DATA+OMITTED

Create a kubeconfig file

From the steps above, you should have the following pieces of information

  • token
  • ca.crt
  • server

Create a file called sa-config and paste this content on to it

apiVersion: v1
kind: Config
users:
- name: ci
  user:
    token: <replace this with token info>
clusters:
- cluster:
    certificate-authority-data: <replace this with ca.crt info>
    server: <replace this with server info>
  name: ci
contexts:
- context:
    cluster: ci
    user: ci
  name: ci
current-context: ci

Replace the placeholder above with the information gathered so far

  • replace the token
  • replace the ca.crt
  • replace the server

Copy the file to $HOME/.kube

If you want your client to use this context, copy sa-config to $HOME/.kube and you can configure kubectl to use the context

kubectl config --kubeconfig=$HOME/.kube/sa-config set-context ci