Skip to main content




Will be deprecated in Copernic 3.8

From outside kubernetes: you may want to have a CI/CD pipeline which deploys application into kubernetes. To do so, you can't use a nominative kubernetes kubeconfig because of Multi-Factor Authentication. So we provide a generic service account (without MFA).

From inside kubernetes: by default any container runs with a default service account with limited rights. If you need additional permissions, you have two options:

  • run your application with the generic k8saas service account: k8saas-generic-sa-cicd
  • ask the support level 1 to get a new service service account with custom rights

This document shows:

  • how to list the different service accounts
  • how to retrieve the corresponding kubeconfig


To perform the following commands, you need first to have devops-namespace-role rights. Ask the support to update your rights if necessary.

What to do ?

First, get the script:

  • Download it from here
  • Or Copy - Past the following code
set -e

# Usage ./ ( namespace ) ( service account name )
# default service account: k8saas-generic-sa-cicd

TEMPDIR=$( mktemp -d )

# shellcheck disable=SC2064
trap "{ rm -rf $TEMPDIR ; exit 255; }" EXIT

# if empty, put k8saas-generic-sa-cicd
if [ -z ${2+x} ];


# Pull the bearer token and cluster CA from the service account secret.
BEARER_TOKEN=$( kubectl get secrets -n "$1" "$SA_SECRET" -o jsonpath='{.data.token}' | base64 -d )
kubectl get secrets -n "$1" "$SA_SECRET" -o jsonpath='{\.crt}' | base64 -d > "$TEMPDIR/ca.crt"

# --minify get the current context
CLUSTER_URL=$( kubectl config view --minify -o jsonpath='{.clusters[].cluster.server}' )

# Only used in output files
CLUSTER_NAME=$( kubectl config view --minify -o jsonpath='{.clusters[].name}' )


kubectl config --kubeconfig="$KUBECONFIG" \
set-cluster \
--server="$CLUSTER_URL" \
--certificate-authority="$TEMPDIR/ca.crt" \

kubectl config --kubeconfig="$KUBECONFIG" \
set-credentials "${SA_NAME}" --token="$BEARER_TOKEN"

kubectl config --kubeconfig="$KUBECONFIG" \
set-context registry \
--cluster="$CLUSTER_URL" \

kubectl config --kubeconfig="$KUBECONFIG" \
use-context registry

echo "kubeconfig written to file \"$KUBECONFIG\""

Then, refresh your kubeconfig:

az login -t "<K8SAAS_TENANT_ID>"
az aks get-credentials --name "<K8SAAS_RESOURCE_NAME>" --resource-group "<K8SAAS_RESOURCE_NAME>" --subscription "K8SAAS_SUBSCRIPTION_ID"

Finally, get your service account: Let say, you have a namespace dev, to retrieve your kubeconfig, you have to execute:

# fix permissions
chmod +x

# default sa: k8saas-generic-sa-cicd
$ ./ dev
Cluster "" set.
User "k8saas-generic-sa-cicd" set.
Context "registry" modified.
Switched to context "registry".
kubeconfig written to file "kubeconfig_K8SAAS_INSTANCE_NAME_NAMESPACE_NAME_K8SAAS_SA_NAME"

# custom sa : toto-custom-sa
$ ./ dev toto-custom-sa

Next steps