Provide a command that produces a kubeconfig file that includes token for a specially created service account that is bound to a cluster-admin role.
Command should (using --kubeconfig):
create a new service account
bind sevice account to referred cluster role
issue a token request or create secret of type kubernetes.io/service-account-token (tutorial)
return a kubeconfig file where the token is used as user context
Sth like
kyma alpha access --clusterrole={clusterRoleName} --kubeconfig={inputKubeconfig} --output=kubeconfig-sa.yaml --name={my-service-account}, where:
--name - name of the new SA to be created by kyma cli (mandatory)
--clusterrole - mandatory - decides which role to bind to the new SA
--kubeconfig - mandatory (can be consumed from KUBECONFIG env)
--output - path where to save the output kubeconfig file (optional. if skipped print the kubeconfig (?))
--namespace - optional (by default create service account in default namespace)
--time - optional (by deafult grant access for 1h); accepts integer in hours or days. For example --time 3h or --time 2d
--permanent- optional; Creates an access token based on secret without any time limit
Similar future exists in kyma dashboard on service account detail view
Reasons
It doesn't yet solve getting a kubeconfig for a freshly created cluster in automated way, but it reduces effort of manual configuration for the time until we finally solve the problem. Kyma users are forced to do it (see example) until there is a real solution
Description
Provide a command that produces a kubeconfig file that includes token for a specially created service account that is bound to a cluster-admin role.
Command should (using
--kubeconfig
):kubernetes.io/service-account-token
(tutorial)Sth like
kyma alpha access --clusterrole={clusterRoleName} --kubeconfig={inputKubeconfig} --output=kubeconfig-sa.yaml --name={my-service-account}
, where:--name
- name of the new SA to be created by kyma cli (mandatory)--clusterrole
- mandatory - decides which role to bind to the new SA--kubeconfig
- mandatory (can be consumed fromKUBECONFIG
env)--output
- path where to save the output kubeconfig file (optional. if skipped print the kubeconfig (?))--namespace
- optional (by default create service account in default namespace)--time
- optional (by deafult grant access for 1h); accepts integer in hours or days. For example--time 3h
or--time 2d
--permanent
- optional; Creates an access token based on secret without any time limitSimilar future exists in kyma dashboard on service account detail view
Reasons It doesn't yet solve getting a kubeconfig for a freshly created cluster in automated way, but it reduces effort of manual configuration for the time until we finally solve the problem. Kyma users are forced to do it (see example) until there is a real solution
Attachments