-
Notifications
You must be signed in to change notification settings - Fork 15
Generating Service Accounts for Kubernetes on any platform
Fernando Barreiro edited this page Nov 6, 2020
·
12 revisions
A simple method to create service accounts on any Kubernetes cluster (i.e. not bound to the IAM of a particular cloud provider) is the following. This solution is based on this documentation: https://docs.armory.io/docs/armory-admin/manual-service-account/
- Create a harvester user + role + role binding.
Create the file harvester-service-account.yaml with following content:
apiVersion: v1
kind: ServiceAccount
metadata:
name: harvester
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: harvester-role
namespace: default
rules:
- apiGroups: ["*"]
resources: ["secrets","jobs","pods"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: harvester-rb
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: harvester-role
subjects:
- namespace: default
kind: ServiceAccount
name: harvester
Create the objects in Kubernetes:
>>> kubectl create -f harvester-service-account.yaml
- Generate the kubeconfig file that needs to be set in Harvester.
Create the script kubeconfig_generator.sh with following content:
SERVICE_ACCOUNT_NAME=harvester
CONTEXT=$(kubectl config current-context)
NAMESPACE=default
NEW_CONTEXT=harvester-context
KUBECONFIG_FILE="kubeconfig-harvester"
SECRET_NAME=$(kubectl get serviceaccount ${SERVICE_ACCOUNT_NAME} \
--context ${CONTEXT} \
--namespace ${NAMESPACE} \
-o jsonpath='{.secrets[0].name}')
TOKEN_DATA=$(kubectl get secret ${SECRET_NAME} \
--context ${CONTEXT} \
--namespace ${NAMESPACE} \
-o jsonpath='{.data.token}')
TOKEN=$(echo ${TOKEN_DATA} | base64 -d)
# Create dedicated kubeconfig
# Create a full copy
kubectl config view --raw > ${KUBECONFIG_FILE}.full.tmp
# Switch working context to correct context
kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp config use-context ${CONTEXT}
# Minify
kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp \
config view --flatten --minify > ${KUBECONFIG_FILE}.tmp
# Rename context
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
rename-context ${CONTEXT} ${NEW_CONTEXT}
# Create token user
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
set-credentials ${CONTEXT}-${NAMESPACE}-token-user \
--token ${TOKEN}
# Set context to use token user
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
set-context ${NEW_CONTEXT} --user ${CONTEXT}-${NAMESPACE}-token-user
# Set context to correct namespace
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
set-context ${NEW_CONTEXT} --namespace ${NAMESPACE}
# Flatten/minify kubeconfig
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
view --flatten --minify > ${KUBECONFIG_FILE}
# Remove tmp
rm ${KUBECONFIG_FILE}.full.tmp
rm ${KUBECONFIG_FILE}.tmp
Run the script, it should generate a file called kubeconfig-harvester, which is the one to put on the harvester instance:
>>> source kubeconfig_generator.sh
>>> ls -lrt
...
-rw-r--r-- 1 fbarreir staff 3055 Nov 6 11:53 kubeconfig-harvester
...
| Getting started |
|---|
| Installation and configuration |
| Testing and running |
| Debugging |
| Work with Middleware |
| Admin FAQ |
| Development guides |
|---|
| Development workflow |
| Tagging |
| Production & commissioning |
|---|
| Scale up submission |
| Condor experiences |
| Commissioning on the grid |
| Production servers |
| Service monitoring |
| Auto Queue Configuration with CRIC |
| SSH+RPC middleware setup |
| Kubernetes section |
|---|
| Kubernetes setup |
| X509 credentials |
| AWS setup |
| GKE setup |
| CERN setup |
| CVMFS installation |
| Generic service accounts |
| Advanced payloads |
|---|
| Horovod integration |