# Generate Kubernetes credentials

In order to use our products, a Kubernetes credentials file – commonly called *kubeconfig* file – is required to **grant us access and permissions** to your cluster.

This guide will walk you through the generation process of a *kubeconfig* file for a specific service account of your cluster.

## :bullettrain\_front: Automatic generation

If you’re in a hurry, or don’t want to get lost in commands, you can use our [hand-crafted Bash script](https://download.kubolabs.io/scripts/create_kubeconfig) which will do the heavy lifting for you! It takes the service account name as its sole argument and will generate the file in the current directory.

{% tabs %}
{% tab title="curl" %}

```bash
curl -sO https://download.kubolabs.io/scripts/create_kubeconfig
chmod +x create_kubeconfig
./create_kubeconfig <myserviceaccount>
```

{% endtab %}

{% tab title="wget" %}

```bash
wget -q https://download.kubolabs.io/scripts/create_kubeconfig
chmod +x create_kubeconfig
./create_kubeconfig <myserviceaccount>
```

{% endtab %}
{% endtabs %}

{% hint style="warning" %}
Change `<myserviceaccount>` with the name of the service account you wish to create a *kubeconfig* file for. For KuboScore, it should be `ksa-kuboscore`. For KuboVisor, it should be `ksa-kubovisor`.
{% endhint %}

{% hint style="info" %}
If you want to use a different namespace, cluster or context, just use the `--namespace`, `--cluster` and `--context` flags like you would normally do with `kubectl`.
{% endhint %}

## :snail: Manual generation

*Don’t trust our Bash script? Don’t have Bash? We got you covered!*

### :pencil: Prerequisites

Following content assumes that [**`kubectl` binary**](https://kubernetes.io/docs/tasks/tools/#kubectl) **is installed** on your system and you have permissions to **get** the following objects from the namespace where the service account lives:

* *ServiceAccounts*
* *Secrets*

Execute the following commands to make sure you have enough permissions.

{% hint style="warning" %}
Replace `<namespace>` with the actual name of the namespace.
{% endhint %}

```shell
kubectl auth can-i get serviceaccount --namespace=<namespace>
kubectl auth can-i get secret --namespace=<namespace>
```

If you have the right permissions, both commands should return `yes` as a result.

If the output to one of these commands is `no`, it means the credentials you’re using don’t have enough permissions to get the requested resource. Make sure you’re using the correct credentials or contact your cluster administrator.

### :key: Credentials generation

#### Prepare your environment

{% hint style="warning" %}
Replace `<namespace>` by the actual namespace name and `<service_account_name>` by the actual service account name.
{% endhint %}

<details>

<summary><strong>Differences between Kubernetes 1.24+ and before</strong></summary>

If your cluster version is 1.24+ (or if you have the *`LegacyServiceAccountTokenNoAutoGeneration`* feature gate enabled), you will have to manually generate an authentication token by creating the following Secret for the ServiceAccount.

{% code title="sa-secret.yaml" %}

```yaml
apiVersion: v1
kind: Secret
metadata:
  namespace: <namespace>
  name: <service_account_name>
  annotations:
    kubernetes.io/service-account.name: <service_account_name>
type: kubernetes.io/service-account-token
```

{% endcode %}

Apply the Secret on your cluster to generate the ServiceAccount token:

```bash
kubectl apply -f sa-secret.yaml
```

**Replace `<service_account_secret_name>` by the name of this Secret.**

If your cluster version is below 1.24, **the Secret is created by Kubernetes with the same name as the ServiceAccount.**

</details>

```shell
export NS=<namespace>
export SA=<service_account_name>
export SEC_NAME= <service_account_secret_name>
export SEC_TK=$(kubectl -n ${NS} get secret ${SEC_NAME} -o jsonpath='{.data.token}' | base64 --decode)
export CA=$(kubectl -n ${NS} get secret ${SEC_NAME} -o jsonpath='{.data.ca\.crt}')
export CUR_CTX=$(kubectl config current-context)
export CUR_CLUST=$(kubectl config view -o "jsonpath={.contexts[?(@.name==\"${CUR_CTX}\")].context.cluster}")
export CUR_SRV=$(kubectl config view -o "jsonpath={.clusters[?(@.name==\"${CUR_CLUST}\")].cluster.server}")
```

#### Generate the file

```shell
cat <<EOF > kubeconfig-$SA.yaml
apiVersion: v1
kind: Config
clusters:
- name: ${CUR_CLUST}
  cluster:
    certificate-authority-data: ${CA}
    server: ${CUR_SRV}
contexts:
- name: ${CUR_CTX}
  context:
    cluster: ${CUR_CLUST}
    namespace: default
    user: ${SA}
current-context: ${CUR_CTX}
users:
- name: ${SA}
  user:
    token: ${SEC_TK}
EOF
```

## :weary: Troubleshooting

#### I can’t connect to my cluster

```
The connection to the server XXX was refused - did you specify the right host or port?
```

In this case, make sure that you’re connected to the internet or to a network (eg. VPN) from which you can access your cluster.

If the problem persists, please contact your cluster administrator.

#### I can’t use the generated credentials file with your products!

```
Error from server (Forbidden): XXX is forbidden: User "system:serviceaccount:kube-system:ksa-kuboscore" cannot
```

The service account you specified doesn’t have enough permissions. [Please contact us](mailto:techsupport@kubolabs.io).