Forked from innovia/kubernetes_add_service_account_kubeconfig.sh
Last active
January 20, 2023 17:49
-
-
Save voor/b201545ca36b04f83b3386b1a50bc913 to your computer and use it in GitHub Desktop.
Create a service account and generate a kubeconfig file for it - this will also set the default namespace for the user
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -e | |
| set -o pipefail | |
| # Add user to k8s using service account or build kubeconfig for existing service account, no RBAC (must create RBAC after this script) | |
| if [[ -z "$1" ]] || [[ -z "$2" ]] || [[ -z "$3" ]]; then | |
| echo "usage: $0 <service_account_name> <namespace> <target_folder>" | |
| exit 1 | |
| fi | |
| SERVICE_ACCOUNT_NAME=$1 | |
| NAMESPACE="$2" | |
| TARGET_FOLDER="$3" | |
| KUBECFG_FILE_NAME="$TARGET_FOLDER/kubeconfig.yml" | |
| create_target_folder() { | |
| echo -n "Creating target directory to hold files in ${TARGET_FOLDER}..." | |
| mkdir -p "${TARGET_FOLDER}" | |
| printf "done" | |
| } | |
| create_service_account() { | |
| echo -e "\\nCreating namespace: ${SERVICE_ACCOUNT_NAME}" | |
| kubectl create ns "${NAMESPACE}" || kubectl get ns "${NAMESPACE}" && echo "Namespace already exists." | |
| echo -e "\\nCreating a service account in ${NAMESPACE} namespace: ${SERVICE_ACCOUNT_NAME}" | |
| kubectl create sa "${SERVICE_ACCOUNT_NAME}" --namespace "${NAMESPACE}" \ | |
| || kubectl get sa "${SERVICE_ACCOUNT_NAME}" --namespace "${NAMESPACE}" && echo "Service account already exists." | |
| SA_SECRET=$(kubectl get secret --namespace "${NAMESPACE}" -o=jsonpath="{.items[?(@.metadata.annotations.kubernetes\.io/service-account\.name==\"${SERVICE_ACCOUNT_NAME}\")].metadata.name}") | |
| if [ -z "$SA_SECRET" ] | |
| then | |
| cat >${TARGET_FOLDER}/secret.yaml <<EOF | |
| apiVersion: v1 | |
| kind: Secret | |
| metadata: | |
| namespace: ${NAMESPACE} | |
| generateName: ${SERVICE_ACCOUNT_NAME}- | |
| annotations: | |
| kubernetes.io/service-account.name: ${SERVICE_ACCOUNT_NAME} | |
| type: kubernetes.io/service-account-token | |
| EOF | |
| kubectl create -f ${TARGET_FOLDER}/secret.yaml | |
| fi | |
| } | |
| extract_ca_crt_from_secret() { | |
| echo -e -n "\\nExtracting ca.crt from secret..." | |
| kubectl get secret --namespace "${NAMESPACE}" -o=jsonpath="{.items[?(@.metadata.annotations.kubernetes\.io/service-account\.name==\"${SERVICE_ACCOUNT_NAME}\")].data.ca\.crt}" | base64 -d > "${TARGET_FOLDER}/ca.crt" | |
| printf "done" | |
| } | |
| get_user_token_from_secret() { | |
| echo -e -n "\\nGetting user token from secret..." | |
| USER_TOKEN=$(kubectl get secret --namespace "${NAMESPACE}" -o=jsonpath="{.items[?(@.metadata.annotations.kubernetes\.io/service-account\.name==\"${SERVICE_ACCOUNT_NAME}\")].data.token}" | base64 -d) | |
| printf "done" | |
| } | |
| set_kube_config_values() { | |
| context=$(kubectl config current-context) | |
| echo -e "\\nSetting current context to: $context" | |
| CLUSTER_NAME=$(kubectl config get-contexts "$context" | awk '{print $3}' | tail -n 1) | |
| echo "Cluster name: ${CLUSTER_NAME}" | |
| ENDPOINT=$(kubectl config view \ | |
| -o jsonpath="{.clusters[?(@.name == \"${CLUSTER_NAME}\")].cluster.server}") | |
| echo "Endpoint: ${ENDPOINT}" | |
| # Set up the config | |
| echo -e "\\nPreparing kubeconfig.yml" | |
| echo -n "Setting a cluster entry in kubeconfig..." | |
| kubectl config set-cluster "${CLUSTER_NAME}" \ | |
| --kubeconfig="${KUBECFG_FILE_NAME}" \ | |
| --server="${ENDPOINT}" \ | |
| --certificate-authority="${TARGET_FOLDER}/ca.crt" \ | |
| --embed-certs=true | |
| echo -n "Setting token credentials entry in kubeconfig..." | |
| kubectl config set-credentials \ | |
| "${SERVICE_ACCOUNT_NAME}" \ | |
| --kubeconfig="${KUBECFG_FILE_NAME}" \ | |
| --token="${USER_TOKEN}" | |
| echo -n "Setting a context entry in kubeconfig..." | |
| kubectl config set-context \ | |
| "${CLUSTER_NAME}" \ | |
| --kubeconfig="${KUBECFG_FILE_NAME}" \ | |
| --cluster="${CLUSTER_NAME}" \ | |
| --user="${SERVICE_ACCOUNT_NAME}" \ | |
| --namespace="${NAMESPACE}" | |
| echo -n "Setting the current-context in the kubeconfig file..." | |
| kubectl config use-context "${CLUSTER_NAME}" \ | |
| --kubeconfig="${KUBECFG_FILE_NAME}" | |
| } | |
| create_target_folder | |
| create_service_account | |
| extract_ca_crt_from_secret | |
| get_user_token_from_secret | |
| set_kube_config_values | |
| echo -e "\\nAll done! Test with:" | |
| echo "KUBECONFIG=${KUBECFG_FILE_NAME} kubectl get pods" | |
| echo "you should not have any permissions by default - you have just created the authentication part" | |
| echo "You will need to create RBAC permissions" | |
| KUBECONFIG=${KUBECFG_FILE_NAME} kubectl get pods |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: ${SERVICE_ACCOUNT_NAME} | |
| namespace: ${NAMESPACE} | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| kind: ClusterRoleBinding | |
| metadata: | |
| name: ${SERVICE_ACCOUNT_NAME} | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: cluster-admin | |
| subjects: | |
| - kind: ServiceAccount | |
| name: ${SERVICE_ACCOUNT_NAME} | |
| namespace: ${NAMESPACE} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment