Hi, I would like to create a custom KUBECONFIG file that is restricted to a specific namespace to give to developers to use.
Has anyone managed to get this working with Rancher ?
I have tried the following: e.g. for namespace called “test”
$ kubectl config set-context --current --namespace=test
Create a svc account:
$ kubectl create serviceaccount svctest --namespace test
create a rolebinding with a file like this:
$ cat binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: svctest
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: svctest
namespace: test
$ kubectl apply -f binding.yaml
$ kubectl get rolebinding
svctest ClusterRole/cluster-admin 47m
I have also tried with the role of just admin
Get the token for the svc account with:
$ kubectl describe secrets/svctest-token-lbnmf
Now we have all we need for the kubeconfig, I have tried it in 2 ways:
- edit the kubeconfig from the GUI, remove the existing user and add in the new user:
users:
- name: clustername-test-svctest
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IkdiTy1VSF94WjlSWWpvbEI1cUtzaENqbVViYn
I have tried lots of different combinations , but whatever I do it does not work:
KUBECONFIG=./config.test2 kubectl --insecure-skip-tls-verify get pods
Please enter Username:
- The other method I have used is to create a KUBECONFIG using the script from Create a service account and generate a kubeconfig file for it - this will also set the default namespace for the user · GitHub (with a minor edit of changing base64 -D to base64 -d)
This seems to setup everything , although you still have to add the role binding, but again kubectl prompts for username and password
Many Thanks in advance
Steve