# Generate Kubernetes credentials In order to use our products, a Kubernetes credentials file – commonly called *kubeconfig* file – is required to **grant us access and permissions** to your cluster. This guide will walk you through the generation process of a *kubeconfig* file for a specific service account of your cluster. ## :bullettrain\_front: Automatic generation If you’re in a hurry, or don’t want to get lost in commands, you can use our [hand-crafted Bash script](https://download.kubolabs.io/scripts/create_kubeconfig) which will do the heavy lifting for you! It takes the service account name as its sole argument and will generate the file in the current directory. {% tabs %} {% tab title="curl" %} ```bash curl -sO https://download.kubolabs.io/scripts/create_kubeconfig chmod +x create_kubeconfig ./create_kubeconfig ``` {% endtab %} {% tab title="wget" %} ```bash wget -q https://download.kubolabs.io/scripts/create_kubeconfig chmod +x create_kubeconfig ./create_kubeconfig ``` {% endtab %} {% endtabs %} {% hint style="warning" %} Change `` with the name of the service account you wish to create a *kubeconfig* file for. For KuboScore, it should be `ksa-kuboscore`. For KuboVisor, it should be `ksa-kubovisor`. {% endhint %} {% hint style="info" %} If you want to use a different namespace, cluster or context, just use the `--namespace`, `--cluster` and `--context` flags like you would normally do with `kubectl`. {% endhint %} ## :snail: Manual generation *Don’t trust our Bash script? Don’t have Bash? We got you covered!* ### :pencil: Prerequisites Following content assumes that [**`kubectl` binary**](https://kubernetes.io/docs/tasks/tools/#kubectl) **is installed** on your system and you have permissions to **get** the following objects from the namespace where the service account lives: * *ServiceAccounts* * *Secrets* Execute the following commands to make sure you have enough permissions. {% hint style="warning" %} Replace `` with the actual name of the namespace. {% endhint %} ```shell kubectl auth can-i get serviceaccount --namespace= kubectl auth can-i get secret --namespace= ``` If you have the right permissions, both commands should return `yes` as a result. If the output to one of these commands is `no`, it means the credentials you’re using don’t have enough permissions to get the requested resource. Make sure you’re using the correct credentials or contact your cluster administrator. ### :key: Credentials generation #### Prepare your environment {% hint style="warning" %} Replace `` by the actual namespace name and `` by the actual service account name. {% endhint %}
Differences between Kubernetes 1.24+ and before If your cluster version is 1.24+ (or if you have the *`LegacyServiceAccountTokenNoAutoGeneration`* feature gate enabled), you will have to manually generate an authentication token by creating the following Secret for the ServiceAccount. {% code title="sa-secret.yaml" %} ```yaml apiVersion: v1 kind: Secret metadata: namespace: name: annotations: kubernetes.io/service-account.name: type: kubernetes.io/service-account-token ``` {% endcode %} Apply the Secret on your cluster to generate the ServiceAccount token: ```bash kubectl apply -f sa-secret.yaml ``` **Replace `` by the name of this Secret.** If your cluster version is below 1.24, **the Secret is created by Kubernetes with the same name as the ServiceAccount.**
```shell export NS= export SA= export SEC_NAME= export SEC_TK=$(kubectl -n ${NS} get secret ${SEC_NAME} -o jsonpath='{.data.token}' | base64 --decode) export CA=$(kubectl -n ${NS} get secret ${SEC_NAME} -o jsonpath='{.data.ca\.crt}') export CUR_CTX=$(kubectl config current-context) export CUR_CLUST=$(kubectl config view -o "jsonpath={.contexts[?(@.name==\"${CUR_CTX}\")].context.cluster}") export CUR_SRV=$(kubectl config view -o "jsonpath={.clusters[?(@.name==\"${CUR_CLUST}\")].cluster.server}") ``` #### Generate the file ```shell cat < kubeconfig-$SA.yaml apiVersion: v1 kind: Config clusters: - name: ${CUR_CLUST} cluster: certificate-authority-data: ${CA} server: ${CUR_SRV} contexts: - name: ${CUR_CTX} context: cluster: ${CUR_CLUST} namespace: default user: ${SA} current-context: ${CUR_CTX} users: - name: ${SA} user: token: ${SEC_TK} EOF ``` ## :weary: Troubleshooting #### I can’t connect to my cluster ``` The connection to the server XXX was refused - did you specify the right host or port? ``` In this case, make sure that you’re connected to the internet or to a network (eg. VPN) from which you can access your cluster. If the problem persists, please contact your cluster administrator. #### I can’t use the generated credentials file with your products! ``` Error from server (Forbidden): XXX is forbidden: User "system:serviceaccount:kube-system:ksa-kuboscore" cannot ``` The service account you specified doesn’t have enough permissions. [Please contact us](mailto:techsupport@kubolabs.io). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.kubolabs.io/guides/generate-kubernetes-credentials.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.