Adding a Service Account Authentication Token to a Kubeconfig File

When you set up the kubeconfig file for a cluster, by default it contains an Oracle Cloud Infrastructure CLI command to generate a short-lived, cluster-scoped, user-specific authentication token. The authentication token generated by the CLI command is appropriate to authenticate individual users accessing the cluster using kubectl and the Kubernetes Dashboard.

However, the generated authentication token is not appropriate to authenticate processes and tools accessing the cluster, such as continuous integration and continuous delivery (CI/CD) tools. To ensure access to the cluster, such tools require long-lived, non-user-specific authentication tokens.

One solution is to use a Kubernetes service account, as described in this topic. A service account has an associated service account authentication token, which is stored as a Kubernetes secret. Having created a service account, you bind it to a clusterrolebinding that has cluster administration permissions. You can then add the service account (and its service account authentication token) as a user definition in the kubeconfig file itself. Other tools can then use the service account authentication token when accessing the cluster.

Note that to run the commands in this topic, you must have the appropriate permissions. See About Access Control and Container Engine for Kubernetes.

To add a service account authentication token to a kubeconfig file:

  1. If you haven't already done so, follow the steps to set up the cluster's kubeconfig configuration file and (if necessary) set the KUBECONFIG environment variable to point to the file. Note that you must set up your own kubeconfig file. You cannot access a cluster using a kubeconfig file that a different user set up. See Setting Up Cluster Access.
  2. In a terminal window, create a new service account in the kube-system namespace by entering the following kubectl command:

    $ kubectl -n kube-system create serviceaccount <service-account-name>

    For example, to create a service account called kubeconfig-sa, enter:

    $ kubectl -n kube-system create serviceaccount kubeconfig-sa

    The output from the above command confirms the creation of the service account. For example:

    serviceaccount/kubeconfig-sa created

    Note that creating the service account in the kube-system namespace is recommended good practice, and is assumed in the instructions in this topic. However, if you prefer, you can create the service account in another namespace to which you have access.

  3. Create a new clusterrolebinding with cluster administration permissions and bind it to the service account you just created by entering the following kubectl command:

    $ kubectl create clusterrolebinding <binding-name> --clusterrole=cluster-admin --serviceaccount=kube-system:<service-account-name>

    For example, to create a clusterrolebinding called add-on-cluster-admin and bind it to the kubeconfig-sa service account, enter:

    $ kubectl create clusterrolebinding add-on-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:kubeconfig-sa

    The output from the above command confirms the creation of the clusterrolebinding. For example:

    clusterrolebinding.rbac.authorization.k8s.io/add-on-cluster-admin created
  4. Obtain the name of the service account authentication token and assign its value to an environment variable by entering the following command (these instructions assume you specify TOKENNAME as the name of the environment variable):

    $ TOKENNAME=`kubectl -n kube-system get serviceaccount/<service-account-name> -o jsonpath='{.secrets[0].name}'`

    For example:

    $ TOKENNAME=`kubectl -n kube-system get serviceaccount/kubeconfig-sa -o jsonpath='{.secrets[0].name}'`
  5. Obtain the value of the service account authentication token and assign its value (decoded from base64) to an environment variable. These instructions assume you specify TOKEN as the name of the environment variable. The commands to enter depend on the operating system:

    • To obtain the value of the service account authentication token in a MacOS, Linux, or Unix environment, enter the following command:

      $ TOKEN=`kubectl -n kube-system get secret $TOKENNAME -o jsonpath='{.data.token}'| base64 --decode`
    • To obtain the value of the service account authentication token in a Windows environment:

      1. Enter the following command:

        $ kubectl -n kube-system get secret $TOKENNAME -o jsonpath='{.data.token}'
      2. Copy the output from the above command and paste it into a base64 decoder (for example, https://www.base64decode.org, https://www.base64decode.net, or similar).
      3. Copy the output from the base64 decoder.
      4. Enter the following command:

        $ TOKEN=`[<base64-decoded-output>]`

        where <base64-decoded-output> is the output you copied from the base64 decorder.

  6. Add the service account (and its authentication token) as a new user definition in the kubeconfig file by entering the following kubectl command:

    $ kubectl config set-credentials <service-account-name> --token=$TOKEN

    The service account (and its authentication token) is added to the list of users defined in the kubeconfig file.

    For example, to add the kubeconfig-sa service account and its authentication token to the kubeconfig file, enter:

    $ kubectl config set-credentials kubeconfig-sa --token=$TOKEN

    The output from the above command confirms the service account has been added to the kubeconfig file. For example:

    User "kubeconfig-sa" set.
  7. Set the user specified in the kubeconfig file for the current context to be the new service account user you created, by entering the following kubectl command:

    $ kubectl config set-context --current --user=<service-account-name>

    For example:

    $ kubectl config set-context --current --user=kubeconfig-sa

    The output from the above command confirms the current context has been changed. For example:

    Context "context-ctdiztdhezd" modified.
  8. (Optional) To verify that authentication works as expected, run a kubectl command to confirm that the service account user can be successfully authenticated using the service account authentication token.

    For example, if you have previously deployed a sample Nginx application on the cluster (see Deploying a Sample Nginx App on a Cluster Using Kubectl), enter the following command:

    $ kubectl get pods

    The output from the above command shows the pods running on the cluster. If the command runs successfully, the service account user in the kubeconfig file has been successfully authenticated using the service account authentication token.

  9. Distribute the kubeconfig file as necessary to enable other processes and tools (such as continuous integration and continuous delivery (CI/CD) tools) to access the cluster.
Note

If you subsequently want to remove access to the cluster from the service account, delete the Kubernetes secret containing the service account authentication token by entering the following command:

kubectl -n kube-system delete secret $TOKENNAME