VK Cloud logo
Support
Updated at April 15, 2024   08:50 AM

Creating a kubeconfig file for a service account

When connecting using kubectl to a Cloud Containers cluster, kubeconfig is used, this is cluster configuration file. kubeconfig is usually used to work with the cluster from the VK Cloud personal account, which is configured to use single sign-on technology. Therefore, when working with kubectl you periodically need to enter the user's password.

This authentication process is inconvenient when working with automated tools that need access to the cluster. To work with them, it is more convenient to use the kubeconfig file for the service account. This kubeconfig allows you to authenticate with a token with an infinite lifetime, without entering a password.

Preparatory steps

  1. Create the Cloud Containers cluster is the most up-to-date version.

    When creating a cluster, select the Assign external IP option. Select other cluster parameters at your discretion.

  2. Make sure that you can connect to the created cluster using kubectl.

    In this case, kubeconfig will be used, downloaded from the VK Cloud personal account.

  3. Set the environment variables pointing to kubeconfig:

    • VKCLOUD_KUBECONFIG: the path to the kubeconfig uploaded from the VK Cloud personal account.
    • SA_KUBECONFIG: the path to kubeconfig for the service account (the file itself will be created later).

    This will simplify further work with kubectl.

    export VKCLOUD_KUBECONFIG="/home/user/.kube/kubernetes-cluster-1234_kubeconfig.yaml"export SA_KUBECONFIG="/home/user/.kube/sa_kubeconfig.yaml"

  4. Make sure that after connecting to the cluster, you have the rights to create the necessary Kubernetes resources:

    kubectl --kubeconfig $VKCLOUD_KUBECONFIG auth can-i create serviceaccountkubectl --kubeconfig $VKCLOUD_KUBECONFIG auth can-i create secretkubectl --kubeconfig $VKCLOUD_KUBECONFIG auth can-i create clusterrolebinding

    The answer yes should be output for each of the commands.

    If you do not have the rights to create any of these resources (the answer is no), adjust the VK Cloud user role on behalf of which the connection to the cluster is being performed.

    For more information about the role model and available roles, see Access management.

1. Create a service account and link it to the role

  1. Create an example-sa service account in the kube-system namespace:

    kubectl --kubeconfig $VKCLOUD_KUBECONFIG \  create serviceaccount example-sa -n kube-system

    Example of command output:

    serviceaccount/example-sa created

  2. Select the cluster role to assign to the service account.

    To get a list of all cluster roles with a detailed description, run the command:

    kubectl --kubeconfig $VKCLOUD_KUBECONFIG describe clusterroles

    When choosing a role, follow the principle of least privilege to increase security when working with the cluster. Read more about the role model in the official Kubernetes documentation.

    As an example, the edit role will be assigned next. It corresponds to to role Kubernetes operator from personal account.

  3. Link the created service account to the selected cluster role. To do this, create a ClusterRoleBinding resource named example-binding.

    The service account must be specified along with the namespace to which it belongs.

    kubectl --kubeconfig $VKCLOUD_KUBECONFIG \  create clusterrolebinding example-binding \    --serviceaccount=kube-system:example-sa \    --clusterrole=edit

    Example of command output:

    clusterrolebinding.rbac.authorization.k8s.io/example-binding created

2. Get a token for a service account

  1. Create an 'example-token` secret containing a token for the service account:

    1. Create a manifest file:

      Explanations of the manifest fields:

      • type: a special type of secret kubernetes.io/service-account-token. This secret holds a token for the service account.
      • metadata.namespace: the namespace for the secret. The secret must be placed in the same namespace as the service account.
      • metadata.annotations: special abstract kubernetes.io/service-account.name with the name of the service account. The token from the created secret will be associated with this account.

    2. Apply the manifest file:

      kubectl --kubeconfig $VKCLOUD_KUBECONFIG apply -f example-token.yaml

      A secret will be created with the specified parameters. Example of command output:

      secret/example-token created

  2. Make sure that the service account has been assigned a token from the created secret:

    kubectl --kubeconfig $VKCLOUD_KUBECONFIG \  describe serviceaccount example-sa -n kube-system

    The output should contain an indication of the secret in the Tokens field.

  3. Get the token value.

    The secret stores the token in encoded form (encoding scheme Base64). The token must be decoded so that it can be used in kubeconfig:

    kubectl --kubeconfig $VKCLOUD_KUBECONFIG \  get secret example-token -n kube-system \  --template={{.data.token}} | base64 --decode

    The token value will be displayed. Save it.

4. Create a kubeconfig for a service account

  1. Create the basis for this kubeconfig by copying the kubeconfig downloaded from the VK Cloud personal account.

    cp $VKCLOUD_KUBECONFIG $SA_KUBECONFIG

  2. (Optional) Get to know the kubeconfig structure:

    kubectl --kubeconfig $SA_KUBECONFIG config view

    The contents of kubeconfig will be output in a compressed form: the values of some fields will be skipped.

    Kubeconfig contains all the parameters necessary to work with the cluster:

    • clusters: a list of clusters and data to connect to them.

      The Kubeconfig for the Cloud Containers cluster contains an entry about a single cluster.

    • users: a list of users and data for their authentication in the cluster.

      Kubeconfig for the Cloud Containers cluster contains a record of a single user who authenticates using keystone-auth.

    • contexts: the context in which kubectl works. In the simplest case, the context is a combination of the cluster name and the user name.

      Kubeconfig for the Cloud Containers cluster contains an entry about a single context. This context uses the cluster and user record that are already defined in kubeconfig.

    When kubectl is running in the specified context, it is working with the cluster specified in the context on behalf of the specified user.

  3. Change the contents of kubeconfig for the service account so that this file contains the parameters associated with the previously configured service account:

    1. Delete the existing user.

      This user corresponds to the VK Cloud user and should not appear in kubeconfig, which will be used by automated tools.

      1. Get a list of users:

        kubectl --kubeconfig $SA_KUBECONFIG \  config get-users

      2. Delete the user using the desired name from the list:

        kubectl --kubeconfig $SA_KUBECONFIG \  config delete-user <username>

        Example of partial command output:

        deleted user kubernetes-cluster-1234 from ...sa_kubeconfig.yaml

    2. Add a new user example-sa.

      This user corresponds to a previously created service account. The previously received token will be used for authentication.

      kubectl --kubeconfig $SA_KUBECONFIG \  config set-credentials example-sa --token="<token value>"

      Example of command output:

      User "example-sa" set.

    3. Configure the current context to use the added user:

      kubectl --kubeconfig $SA_KUBECONFIG \  config set-context --current --user="example-sa"

      Example output:

      Context "default/kubernetes-cluster-1234" modified.

  4. (Optional) Check the updated kubeconfig content for the service account:

    kubectl --kubeconfig $SA_KUBECONFIG config view

    This kubeconfig should not contain any other users except the previously added example-sa. The only context is to use this user.

5. Check the operation of the created kubeconfig

Use the kubectl commands and the previously created kubeconfig for the service account to get information about the cluster and its resources, for example:

  1. Get information about the cluster:

    kubectl --kubeconfig $SA_KUBECONFIG cluster-info

  2. Get a list of the main resources in the default namespace:

    kubectl --kubeconfig $SA_KUBECONFIG get all -n default

If the password was not requested when executing the commands, then the resulting kubeconfig can be used in combination with automated tools to access the Cloud Containers cluster.

Revoke the compromised token

If a previously created token or a kubeconfig containing it has been compromised, revoke the token to prevent unauthorized access to the cluster.

To do this, delete the secret that is used to store the token:

kubectl --kubeconfig $VKCLOUD_KUBECONFIG delete secret example-token -n kube-system

Delete unused resources

  1. If you no longer need the created Kubernetes resources, delete them:

    kubectl --kubeconfig $VKCLOUD_KUBECONFIG \  delete clusterrolebinding example-bindingkubectl --kubeconfig $VKCLOUD_KUBECONFIG \  delete secret example-token -n kube-systemkubectl --kubeconfig $VKCLOUD_KUBECONFIG \  delete serviceaccount example-sa -n kube-system

  2. A running Cloud Containers cluster is charged and consumes computing resources. If you don't need it anymore:

Did not find your answer?Write to us

© 2024 VK Cloud
Privacy Policy