Generate Kubernetes credentials

In order to use our products, a Kubernetes credentials file โ€“ commonly called kubeconfig file โ€“ is required to grant us access and permissions to your cluster.

This guide will walk you through the generation process of a kubeconfig file for a specific service account of your cluster.

๐Ÿš… Automatic generation

If youโ€™re in a hurry, or donโ€™t want to get lost in commands, you can use our hand-crafted Bash script which will do the heavy lifting for you! It takes the service account name as its sole argument and will generate the file in the current directory.

curl -sO https://download.kubolabs.io/scripts/create_kubeconfig
chmod +x create_kubeconfig
./create_kubeconfig <myserviceaccount>

Change <myserviceaccount> with the name of the service account you wish to create a kubeconfig file for. For KuboScore, it should be ksa-kuboscore. For KuboVisor, it should be ksa-kubovisor.

If you want to use a different namespace, cluster or context, just use the --namespace, --cluster and --context flags like you would normally do with kubectl.

๐ŸŒ Manual generation

Donโ€™t trust our Bash script? Donโ€™t have Bash? We got you covered!

๐Ÿ“ Prerequisites

Following content assumes that kubectl binary is installed on your system and you have permissions to get the following objects from the namespace where the service account lives:

  • ServiceAccounts

  • Secrets

Execute the following commands to make sure you have enough permissions.

Replace <namespace> with the actual name of the namespace.

kubectl auth can-i get serviceaccount --namespace=<namespace>
kubectl auth can-i get secret --namespace=<namespace>

If you have the right permissions, both commands should return yes as a result.

If the output to one of these commands is no, it means the credentials youโ€™re using donโ€™t have enough permissions to get the requested resource. Make sure youโ€™re using the correct credentials or contact your cluster administrator.

๐Ÿ”‘ Credentials generation

Prepare your environment

Replace <namespace> by the actual namespace name and <service_account_name> by the actual service account name.

Differences between Kubernetes 1.24+ and before

If your cluster version is 1.24+ (or if you have the LegacyServiceAccountTokenNoAutoGeneration feature gate enabled), you will have to manually generate an authentication token by creating the following Secret for the ServiceAccount.

sa-secret.yaml
apiVersion: v1
kind: Secret
metadata:
  namespace: <namespace>
  name: <service_account_name>
  annotations:
    kubernetes.io/service-account.name: <service_account_name>
type: kubernetes.io/service-account-token

Apply the Secret on your cluster to generate the ServiceAccount token:

kubectl apply -f sa-secret.yaml

Replace <service_account_secret_name> by the name of this Secret.

If your cluster version is below 1.24, the Secret is created by Kubernetes with the same name as the ServiceAccount.

export NS=<namespace>
export SA=<service_account_name>
export SEC_NAME= <service_account_secret_name>
export SEC_TK=$(kubectl -n ${NS} get secret ${SEC_NAME} -o jsonpath='{.data.token}' | base64 --decode)
export CA=$(kubectl -n ${NS} get secret ${SEC_NAME} -o jsonpath='{.data.ca\.crt}')
export CUR_CTX=$(kubectl config current-context)
export CUR_CLUST=$(kubectl config view -o "jsonpath={.contexts[?(@.name==\"${CUR_CTX}\")].context.cluster}")
export CUR_SRV=$(kubectl config view -o "jsonpath={.clusters[?(@.name==\"${CUR_CLUST}\")].cluster.server}")

Generate the file

cat <<EOF > kubeconfig-$SA.yaml
apiVersion: v1
kind: Config
clusters:
- name: ${CUR_CLUST}
  cluster:
    certificate-authority-data: ${CA}
    server: ${CUR_SRV}
contexts:
- name: ${CUR_CTX}
  context:
    cluster: ${CUR_CLUST}
    namespace: default
    user: ${SA}
current-context: ${CUR_CTX}
users:
- name: ${SA}
  user:
    token: ${SEC_TK}
EOF

๐Ÿ˜ฉ Troubleshooting

I canโ€™t connect to my cluster

The connection to the server XXX was refused - did you specify the right host or port?

In this case, make sure that youโ€™re connected to the internet or to a network (eg. VPN) from which you can access your cluster.

If the problem persists, please contact your cluster administrator.

I canโ€™t use the generated credentials file with your products!

Error from server (Forbidden): XXX is forbidden: User "system:serviceaccount:kube-system:ksa-kuboscore" cannot

The service account you specified doesnโ€™t have enough permissions. Please contact us.

PreviousTroubleshootingNextGrant access to a private network

Last updated