This article is meant to be a guide in setting up a multi-user namespace scoped kubernetes cluster.
Kubernetes,also known as K8s, is an open-source system for automating deployment, scaling, and management of containerized applications.
While kubernetes does not have a notion of users, it has what are called service accounts. These are accounts which define the scope of the role(s) or operations which can be performed on different kubernetes resources. A service account provides an identity for processes that run in a Pod.
Before you can access the kubernetes API Service, a service account with the necessary roles is required.
This article assumes that you already have a roles and namespaces already set. You can ignore the namespace if you don't want to scope the service account to a namespace.
To create a service account,
apiVersion:v1
kind:ServiceAccount
metadata:
namespace:devspace
name:arthur
Aside from the above, you also need to create a secret before getting the token to use with your service accounts as follows:
kubectl apply -f - <<EOF
apiVersion:v1
kind:Secret
metadata:
namespace:devspace
name:auth-secret
annotations:
kubernetes.io/service-account.name:arthur
type:kubernetes.io/service-account-token
EOF
With the service and tokens created, we can proceed to creating a kubeconfig file, (used to authenticate operations sent to the API service).
Thekubeconfigfile is a yaml file that can be created by replacing the bash file below with your own values.
Create a bash script file and give a name, e.gkubeconfig.sh,make it executable
chmod+x./kubeconfig.sh
and finally add the content below to the file. Make any changes to suit your needs.
#!/usr/bin/env sh
# The script returns a kubeconfig for the ServiceAccount given
# you need to have kubectl on PATH with the context set to the cluster you want to create the config for
# Cosmetics for the created config
clusterName='SwiftCloudCluster'
# your server address goes here get it via `kubectl cluster-info`
server='https://kube-master:6443'
# the Namespace and ServiceAccount name that is used for the config
namespace='devspace'
serviceAccount='arthur'
# The following automation does not work from Kubernetes 1.24 and up.
# You need to
# define a Secret, reference the ServiceAccount there and set the secretName as described in the [article](dev.to/arthurkay)!
# See https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#manually-create-a-long-lived-api-token-for-a-serviceaccount for details
#secretName=$(kubectl --namespace= "$namespace" get serviceAccount "$serviceAccount" -o=jsonpath='{.secrets[0].name}')
# For kubernetes v1.24 and above, use:
secretName="arthur-secret"
######################
# actual script starts
set-oerrexit
ca=$(kubectl--namespace="$namespace"get secret/"$secretName"-o=jsonpath='{.data.ca\.crt}')
token=$(kubectl--namespace="$namespace"get secret/"$secretName"-o=jsonpath='{.data.token}'|base64--decode)
echo"
---
apiVersion: v1
kind: Config
clusters:
- name:${clusterName}
cluster:
certificate-authority-data:${ca}
server:${server}
contexts:
- name:${serviceAccount}@${clusterName}
context:
cluster:${clusterName}
namespace:${namespace}
user:${serviceAccount}
users:
- name:${serviceAccount}
user:
token:${token}
current-context:${serviceAccount}@${clusterName}
"
To create the actual kubeconfig file, you need to execute the created bash script and pipe the result to a yaml file.
./kubeconfig.sh>>kubeconfig
This creates a filekubeconfigthat can be used for authenticating with your kubernetes cluster.
