83 lines
2.1 KiB
Bash
83 lines
2.1 KiB
Bash
#!/bin/bash
|
|
# Creates a restricted kubeconfig for the oil-calculator namespace only.
|
|
# Run on the k8s server as a user with cluster-admin access.
|
|
set -e
|
|
|
|
NAMESPACE=oil-calculator
|
|
SA_NAME=oil-calculator-deployer
|
|
|
|
echo "Creating ServiceAccount, Role, and RoleBinding..."
|
|
|
|
kubectl apply -f - <<EOF
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: ${SA_NAME}
|
|
namespace: ${NAMESPACE}
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: ${SA_NAME}-role
|
|
namespace: ${NAMESPACE}
|
|
rules:
|
|
- apiGroups: ["", "apps", "networking.k8s.io"]
|
|
resources: ["pods", "services", "deployments", "replicasets", "ingresses", "persistentvolumeclaims", "configmaps", "secrets", "pods/log"]
|
|
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: ${SA_NAME}-binding
|
|
namespace: ${NAMESPACE}
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: ${SA_NAME}
|
|
namespace: ${NAMESPACE}
|
|
roleRef:
|
|
kind: Role
|
|
name: ${SA_NAME}-role
|
|
apiGroup: rbac.authorization.k8s.io
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: ${SA_NAME}-token
|
|
namespace: ${NAMESPACE}
|
|
annotations:
|
|
kubernetes.io/service-account.name: ${SA_NAME}
|
|
type: kubernetes.io/service-account-token
|
|
EOF
|
|
|
|
echo "Waiting for token..."
|
|
sleep 3
|
|
|
|
# Get cluster info
|
|
CLUSTER_SERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
|
|
CLUSTER_CA=$(kubectl config view --raw --minify -o jsonpath='{.clusters[0].cluster.certificate-authority-data}')
|
|
TOKEN=$(kubectl get secret ${SA_NAME}-token -n ${NAMESPACE} -o jsonpath='{.data.token}' | base64 -d)
|
|
|
|
cat > kubeconfig <<EOF
|
|
apiVersion: v1
|
|
kind: Config
|
|
clusters:
|
|
- cluster:
|
|
certificate-authority-data: ${CLUSTER_CA}
|
|
server: ${CLUSTER_SERVER}
|
|
name: oil-calculator
|
|
contexts:
|
|
- context:
|
|
cluster: oil-calculator
|
|
namespace: ${NAMESPACE}
|
|
user: ${SA_NAME}
|
|
name: oil-calculator
|
|
current-context: oil-calculator
|
|
users:
|
|
- name: ${SA_NAME}
|
|
user:
|
|
token: ${TOKEN}
|
|
EOF
|
|
|
|
echo "Kubeconfig written to ./kubeconfig"
|
|
echo "Test with: KUBECONFIG=./kubeconfig kubectl get pods"
|