Skip to main content

Kubernetes

Explain how to create a base64 Kubeconfig file to interact with a Kubernetes Cluster thought Runops.

Kubeconfig from an existent config#

It should be used in testing environments, like evaluating with minikube or a test Kubernetes Cluster.

kubectl config view --raw -o json |jq . -c |base64
WARNING

This command will dump all configurations in case of multiple configurations in your local $HOME/.kube/config.

Kubeconfig from a Service Account#

All resources we create in this guide are isolated in the runops namespace. You can erase everything created here by deleting this namespace at any point.

  1. Create a Service Account for Runops:
kubectl -n runops create serviceaccount runops-edit
  1. Configure the new service account with the permissions you want to set for the Runops Target you are creating. You can copy and paste this example with edit access, ensuring that you use the service account from step 1 was created:
cat << EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: runops-edit
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: edit
subjects:
- kind: ServiceAccount
name: runops-edit
namespace: runops
EOF
note

You can update the kind to RoleBinding and the namespace to allow access to a single namespace. Also: updating the roleRef.name to view will allow read-only access instead of read and edit.

  1. Set up the following environment variables with access data needed for producing a new kubeconfig file:
export USER_TOKEN_NAME=$(kubectl -n runops get serviceaccount runops-edit -o=jsonpath='{.secrets[0].name}')
export USER_TOKEN_VALUE=$(kubectl -n runops get secret/${USER_TOKEN_NAME} -o=go-template='{{.data.token}}' | base64 --decode)
export CURRENT_CONTEXT=$(kubectl config current-context)
export CURRENT_CLUSTER=$(kubectl config view --raw -o=go-template='{{range .contexts}}{{if eq .name "'''${CURRENT_CONTEXT}'''"}}{{ index .context "cluster" }}{{end}}{{end}}')
export CLUSTER_CA=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}"{{with index .cluster "certificate-authority-data" }}{{.}}{{end}}"{{ end }}{{ end }}')
export CLUSTER_SERVER=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}{{ .cluster.server }}{{end}}{{ end }}')
  1. Generate a Kubeconfig file with these values:
cat << EOF > runops-edit-config
apiVersion: v1
kind: Config
current-context: ${CURRENT_CONTEXT}
contexts:
- name: ${CURRENT_CONTEXT}
context:
cluster: ${CURRENT_CONTEXT}
user: runops-edit
namespace: runops
clusters:
- name: ${CURRENT_CONTEXT}
cluster:
certificate-authority-data: ${CLUSTER_CA}
server: ${CLUSTER_SERVER}
users:
- name: runops-edit
user:
token: ${USER_TOKEN_VALUE}
EOF
  1. Base64 encode the generated kubeconfig and add the result to the KUBE_CONFIG_DATA variable of your Runops Target:
cat runops-edit-config | base64