k8saas-service-account-kubeconfig

Usage

warning

Will be deprecated in Copernic 3.8

From outside kubernetes: you may want to have a CI/CD pipeline which deploys application into kubernetes. To do so, you can't use a nominative kubernetes kubeconfig because of Multi-Factor Authentication. So we provide a generic service account (without MFA).

From inside kubernetes: by default any container runs with a default service account with limited rights. If you need additional permissions, you have two options:

run your application with the generic k8saas service account: k8saas-generic-sa-cicd
ask the support level 1 to get a new service service account with custom rights

This document shows:

how to list the different service accounts
how to retrieve the corresponding kubeconfig

Prerequisites

To perform the following commands, you need first to have devops-namespace-role rights. Ask the support to update your rights if necessary.

What to do ?

First, get the script:

Babel 2.11+
Older versions

Download it from here
Or Copy - Past the following code

#!/bin/bash
set -e

# Usage ./k8saas-service-account-kubeconfig.sh ( namespace ) ( service account name )
# default service account: k8saas-generic-sa-cicd 

TEMPDIR=$( mktemp -d )

# shellcheck disable=SC2064
trap "{ rm -rf $TEMPDIR ; exit 255; }" EXIT

# if empty, put k8saas-generic-sa-cicd
if [ -z ${2+x} ];
then
  SA_NAME="k8saas-generic-sa-cicd"
else
  SA_NAME="$2"
fi

SA_SECRET="${SA_NAME}-token"

# Pull the bearer token and cluster CA from the service account secret.
BEARER_TOKEN=$( kubectl get secrets -n "$1" "$SA_SECRET" -o jsonpath='{.data.token}' | base64 -d )
kubectl get secrets -n "$1" "$SA_SECRET" -o jsonpath='{.data.ca\.crt}' | base64 -d > "$TEMPDIR/ca.crt"

# --minify get the current context
CLUSTER_URL=$( kubectl config view --minify -o jsonpath='{.clusters[].cluster.server}' )

# Only used in output files
CLUSTER_NAME=$( kubectl config view --minify -o jsonpath='{.clusters[].name}' )

KUBECONFIG=kubeconfig_${CLUSTER_NAME}_$1_${SA_NAME}

kubectl config --kubeconfig="$KUBECONFIG" \
    set-cluster \
    "$CLUSTER_URL" \
    --server="$CLUSTER_URL" \
    --certificate-authority="$TEMPDIR/ca.crt" \
    --embed-certs=true

kubectl config --kubeconfig="$KUBECONFIG" \
    set-credentials "${SA_NAME}" --token="$BEARER_TOKEN"

kubectl config --kubeconfig="$KUBECONFIG" \
    set-context registry \
    --cluster="$CLUSTER_URL" \
    --user="${SA_NAME}"

kubectl config --kubeconfig="$KUBECONFIG" \
    use-context registry

echo "kubeconfig written to file \"$KUBECONFIG\""

Download it from here
Or Copy - Past the following code

#!/bin/bash
set -e

# Usage ./k8saas-service-account-kubeconfig.sh ( namespace ) ( service account name )
# default service account: k8saas-generic-sa-cicd 

TEMPDIR=$( mktemp -d )

# shellcheck disable=SC2064
trap "{ rm -rf $TEMPDIR ; exit 255; }" EXIT

# if empty, put k8saas-generic-sa-cicd
if [ -z ${2+x} ];
then
  SA_NAME="k8saas-generic-sa-cicd"
else
  SA_NAME="$2"
fi

SA_SECRET=$( kubectl get sa -n "$1" "${SA_NAME}" -o jsonpath='{.secrets[0].name}' )

# Pull the bearer token and cluster CA from the service account secret.
BEARER_TOKEN=$( kubectl get secrets -n "$1" "$SA_SECRET" -o jsonpath='{.data.token}' | base64 -d )
kubectl get secrets -n "$1" "$SA_SECRET" -o jsonpath='{.data.ca\.crt}' | base64 -d > "$TEMPDIR/ca.crt"

# --minify get the current context
CLUSTER_URL=$( kubectl config view --minify -o jsonpath='{.clusters[].cluster.server}' )

# Only used in output files
CLUSTER_NAME=$( kubectl config view --minify -o jsonpath='{.clusters[].name}' )

KUBECONFIG=kubeconfig_${CLUSTER_NAME}_$1_${SA_NAME}

kubectl config --kubeconfig="$KUBECONFIG" \
    set-cluster \
    "$CLUSTER_URL" \
    --server="$CLUSTER_URL" \
    --certificate-authority="$TEMPDIR/ca.crt" \
    --embed-certs=true

kubectl config --kubeconfig="$KUBECONFIG" \
    set-credentials "${SA_NAME}" --token="$BEARER_TOKEN"

kubectl config --kubeconfig="$KUBECONFIG" \
    set-context registry \
    --cluster="$CLUSTER_URL" \
    --user="${SA_NAME}"

kubectl config --kubeconfig="$KUBECONFIG" \
    use-context registry

echo "kubeconfig written to file \"$KUBECONFIG\""

Then, refresh your kubeconfig:

az login -t "<K8SAAS_TENANT_ID>"
az aks get-credentials --name "<K8SAAS_RESOURCE_NAME>" --resource-group "<K8SAAS_RESOURCE_NAME>" --subscription "K8SAAS_SUBSCRIPTION_ID"

Finally, get your service account: Let say, you have a namespace dev, to retrieve your kubeconfig, you have to execute:

# fix permissions
chmod +x k8saas-service-account-kubeconfig.sh

# default sa: k8saas-generic-sa-cicd 
$ ./k8saas-service-account-kubeconfig.sh dev
Cluster "https://K8SAAS_INSTANCE_NAME-XXXXXX.hcp.eastus.azmk8s.io:443" set.
User "k8saas-generic-sa-cicd" set.
Context "registry" modified.
Switched to context "registry".
kubeconfig written to file "kubeconfig_K8SAAS_INSTANCE_NAME_NAMESPACE_NAME_K8SAAS_SA_NAME"

# custom sa : toto-custom-sa
$ ./k8saas-service-account-kubeconfig.sh dev toto-custom-sa
[...]

Next steps

learn about RBAC rights

k8saas-service-account-kubeconfig

Usage​

warning

Prerequisites​

What to do ?​

Next steps​

Usage

Prerequisites

What to do ?

Next steps