{"id":289,"date":"2023-07-29T20:32:00","date_gmt":"2023-07-29T20:32:00","guid":{"rendered":"http:\/\/blog.firatyasar.com\/?p=289"},"modified":"2024-03-29T20:51:51","modified_gmt":"2024-03-29T20:51:51","slug":"create-kubeconfig-for-kubernetes-service-account","status":"publish","type":"post","link":"https:\/\/blog.firatyasar.com\/?p=289","title":{"rendered":"Create Kubeconfig for Kubernetes Service Account"},"content":{"rendered":"\n

Kubernetes cluster y\u00f6netirken en \u00f6nemli konulardan birisi belirli service accountlar\u0131 i\u00e7in kubeconfig dosyas\u0131 olu\u015fturmakt\u0131r. Service accountlar\u0131 i\u00e7in olu\u015fturulan kubeconfig dosyalar\u0131 CICD ara\u00e7lar\u0131 yada farkl\u0131 tool’lar\u0131n cluster’a eri\u015fimleri i\u00e7in kullan\u0131l\u0131r. Kubernetes RBAC ile bu kubeconfig dosyalar\u0131n\u0131n belirli service accountlar i\u00e7in belirli yetkilerde olmas\u0131n\u0131 sa\u011flayabilirsiniz.<\/p>\n\n\n\n

\u015eimdi olu\u015fturaca\u011f\u0131m\u0131z bir service account i\u00e7in kubeconfig dosyas\u0131 nas\u0131l olu\u015fturulur ve nas\u0131l yetki atamas\u0131 yap\u0131l\u0131r birlikte g\u00f6zlemleyelim.<\/p>\n\n\n\n

\u00d6ncelikle a\u015fa\u011f\u0131daki definition file ile bir service account olu\u015ftural\u0131m.<\/p>\n\n\n\n

apiVersion: v1\nkind: ServiceAccount\nmetadata:\n  name: cicd-admin-account\n  namespace: kube-system<\/code><\/pre>\n\n\n\n
# Create service account\nkubectl apply -f service-account.yaml<\/code><\/pre>\n\n\n\n
Bu i\u015flemin ard\u0131ndan service account belirtilen namespace i\u00e7erisinde olu\u015fturulacakt\u0131r.<\/p>\n\n\n\n
\u0130kinci olarak olu\u015fturulan bu service account’a cluster seviyesinde admin rolu atamak i\u00e7in a\u015fa\u011f\u0131daki rolebinding definition file’\u0131n\u0131 apply edelim. Burada bu kubeconfig cicd tool taraf\u0131ndan kullan\u0131laca\u011f\u0131 i\u00e7in b\u00fct\u00fcn namespace’lerde yetkili olmas\u0131n\u0131 istiyorum. Bu sebeple kolayl\u0131k olsun diye cluster seviyesinde admin rol\u00fc atad\u0131m. Siz daha restricted rol atamas\u0131 yaparak g\u00fcvenlik \u00f6nlemlerinizi artt\u0131rabilirsiniz. Test ortam\u0131 i\u00e7in g\u00fcvenlik k\u0131sm\u0131n\u0131 ikinci plana b\u0131rakt\u0131m diyebiliriz \ud83d\ude42<\/p>\n\n\n\n
apiVersion: rbac.authorization.k8s.io\/v1\nkind: ClusterRoleBinding\nmetadata:\n  name: marsneo-admin-binding\nroleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: ClusterRole\n  name: cluster-admin\nsubjects:\n- kind: ServiceAccount\n  name: cicd-admin-account\n  namespace: kube-system<\/code><\/pre>\n\n\n\n
# Create cluster role binding for service account\nkubectl apply -f clusterrolebinding.yaml<\/code><\/pre>\n\n\n\n
3. ad\u0131mda ise olu\u015fturulan service account’a ait bir token \u00fcretmemiz gerekiyor. Bu token’\u0131 \u00fcretip bir secret \u00fczerinde based64 encoded olarak tutmal\u0131y\u0131z. Bu sebeple a\u015fa\u011f\u0131daki secret definition dosyas\u0131n\u0131 kullanarak gerekli secret objesini olu\u015fturmal\u0131y\u0131z.<\/p>\n\n\n\n
apiVersion: v1\nkind: Secret\nmetadata:\n  annotations:\n    kubernetes.io\/service-account.name: cicd-admin-account\n  name: cicd-admin-account\n  namespace: kube-system\ntype: kubernetes.io\/service-account-token<\/code><\/pre>\n\n\n\n
Bu i\u015flemin ard\u0131ndan gerekli token service account i\u00e7in olu\u015fturulacak ve secret \u00fczerinde encrypted olarak tutulacakt\u0131r. Olu\u015fturulan token’\u0131 get etmek i\u00e7in a\u015fa\u011f\u0131daki komutu \u00e7al\u0131\u015ft\u0131rman\u0131 yeterlidir.<\/p>\n\n\n\n
# retrieve token from secret\nkubectl get secret cicd-admin-account -n kube-system -o jsonpath='{.data.token}' | base64 -d<\/code><\/pre>\n\n\n\n
olu\u015fturulan token’\u0131 kullan\u0131p kubeconfig dosyas\u0131n\u0131 update ettikten sonra cluster’\u0131n\u0131za kolayl\u0131kla ba\u011flanabilirsiniz.<\/p>\n\n\n\n
apiVersion: v1\nclusters:\n- cluster:\n    certificate-authority-data: <ca data>\n    server: <server url>\n  name: k8s-server\ncontexts:\n- context:\n    cluster: k8s-server\n    user: cicd-user\n  name: k8s-server-context\ncurrent-context: k8s-server-context\nkind: Config\npreferences: {}\nusers:\n- name: cicd-user\n  user:\n    token: <service account token><\/code><\/pre>\n\n\n\n
\"Mastering<\/figure>\n\n\n\n
Gerekli update i\u015flemleri yap\u0131ld\u0131ktan sonra kubeconfig dosyas\u0131n\u0131 ilgili cicd tool’una entegre ederek pipeline’lar\u0131n cluster’a eri\u015fimlerini organize edebilirsiniz.<\/p>\n\n\n\n
G\u00f6r\u00fc\u015fmek \u00fczere \ud83d\ude09<\/p>\n\n\n\n
F\u0131rat<\/p>\n","protected":false},"excerpt":{"rendered":"
Kubernetes cluster y\u00f6netirken en \u00f6nemli konulardan birisi belirli service accountlar\u0131 i\u00e7in kubeconfig dosyas\u0131 olu\u015fturmakt\u0131r. Service accountlar\u0131 i\u00e7in olu\u015fturulan kubeconfig dosyalar\u0131 CICD ara\u00e7lar\u0131 yada farkl\u0131 tool’lar\u0131n cluster’a eri\u015fimleri i\u00e7in kullan\u0131l\u0131r. Kubernetes RBAC ile bu kubeconfig dosyalar\u0131n\u0131n belirli service accountlar i\u00e7in belirli yetkilerde olmas\u0131n\u0131 sa\u011flayabilirsiniz. \u015eimdi olu\u015fturaca\u011f\u0131m\u0131z bir service account i\u00e7in kubeconfig dosyas\u0131 nas\u0131l olu\u015fturulur ve nas\u0131l\u2026 Read More »<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":290,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[5,107,104,105,103,106],"_links":{"self":[{"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=\/wp\/v2\/posts\/289"}],"collection":[{"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=289"}],"version-history":[{"count":1,"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=\/wp\/v2\/posts\/289\/revisions"}],"predecessor-version":[{"id":291,"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=\/wp\/v2\/posts\/289\/revisions\/291"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=\/wp\/v2\/media\/290"}],"wp:attachment":[{"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=289"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=289"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=289"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}