{"id":20972599,"url":"https://github.com/vbem/kubeconfig4sa","last_synced_at":"2025-10-06T01:20:00.198Z","repository":{"id":65162196,"uuid":"476765075","full_name":"vbem/kubeconfig4sa","owner":"vbem","description":"An action generates Kubernetes kubeconfig file for service account","archived":false,"fork":false,"pushed_at":"2023-10-21T07:21:38.000Z","size":29,"stargazers_count":4,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-05-14T02:06:09.926Z","etag":null,"topics":["actions","bearer-token","context","k8s","kubeconfig","kubectl","kubernetes","sa","service-account"],"latest_commit_sha":null,"homepage":"https://github.com/marketplace/actions/kubeconfig-for-service-account-sa","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vbem.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null}},"created_at":"2022-04-01T15:01:47.000Z","updated_at":"2023-03-22T03:45:53.000Z","dependencies_parsed_at":"2023-02-17T16:16:13.285Z","dependency_job_id":null,"html_url":"https://github.com/vbem/kubeconfig4sa","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vbem%2Fkubeconfig4sa","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vbem%2Fkubeconfig4sa/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vbem%2Fkubeconfig4sa/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vbem%2Fkubeconfig4sa/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vbem","download_url":"https://codeload.github.com/vbem/kubeconfig4sa/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254131998,"owners_count":22020060,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actions","bearer-token","context","k8s","kubeconfig","kubectl","kubernetes","sa","service-account"],"created_at":"2024-11-19T04:08:57.021Z","updated_at":"2025-10-06T01:19:55.139Z","avatar_url":"https://github.com/vbem.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Testing](https://github.com/vbem/kubeconfig4sa/actions/workflows/test.yml/badge.svg)](https://github.com/vbem/kubeconfig4sa/actions/workflows/test.yml)\n[![Super Linter](https://github.com/vbem/kubeconfig4sa/actions/workflows/linter.yml/badge.svg)](https://github.com/vbem/kubeconfig4sa/actions/workflows/linter.yml)\n[![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/vbem/kubeconfig4sa?label=Release\u0026logo=github)](https://github.com/vbem/kubeconfig4sa/releases)\n[![Marketplace](https://img.shields.io/badge/GitHub%20Actions-Marketplace-blue?logo=github)](https://github.com/marketplace/actions/kubeconfig-for-service-account-sa)\n\n## About\n\nThis action can be used to generate [*kubeconfig file*](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) for [Kubernetes native *Service Accounts* (SA)](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/).\n\nIt's advised to use **Kubernetes native SA** for deployment workflows rather than cloud provider's User accounts because:\n- User accounts are for humans. Service accounts are for processes.\n- User accounts are intended to be global. Names must be unique across all namespaces of a cluster. Service accounts are namespaced.\n- Typically, a cluster's user accounts might be synced from a corporate database or cloud IAM, where new user account creation requires special privileges and is tied to complex business processes. Service account creation is intended to be more lightweight, allowing cluster users to create service accounts for specific tasks by following the principle of least privilege.\n\nMeanwhile, as mentioned in GitHub official document: [**Never use structured data as a secret**](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-secrets). Put base64 content of whole *kubeconfig file* into a GitHub secret can cause secret redaction within logs to fail! Instead, create individual secrets for each sensitive value, such as *CA data* of cluster \u0026 *bearer token* of service account.\n\n## Example usage\n\n```yaml\n- name: Setup KUBECONFIG\n  uses: vbem/kubeconfig4sa@v1\n  with:\n    server:     https://your-kubeapi-server:6443\n    ca-base64:  ${{ secrets.K8S_CA_BASE64 }}\n    token:      ${{ secrets.K8S_SA_TOKEN }}\n    namespace:  MYNS\n\n- name: Deploy K8s manifest files\n  run: kubectl apply -f .\n```\n\n![Example](https://repository-images.githubusercontent.com/476765075/c8bf8e19-72f4-4904-b820-200b2b474d0d \"vbem/kubeconfig4sa\")\n\n## SA preparation\n\nAssuming you need to create a service account `deployer` for namespace `MYNS`, and then deploy K8s manifest files via this action.\n\nFirst, you may need to [create a SA](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens) in you K8s cluster:\n```shell\nkubectl create sa deployer -n MYNS\n```\n\nThen, [grant particular permissions](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#service-account-permissions) to this SA:\n```shell\nkubectl create rolebinding deployer --clusterrole=cluster-admin --serviceaccount=MYNS:deployer\n```\n\nAfter that, extract *Certificate Authority base64 data* \u0026 *bearer token* from [*associated secret* of this SA](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens):\n```shell\nas=$(kubectl get sa deployer -n MYNS -o jsonpath='{.secrets[0].name}') \u0026\u0026 echo \"associated secret: $as\"\nca=$(kubectl get secret $as -n MYNS -o jsonpath='{.data.ca\\.crt}') \u0026\u0026 echo \"K8S_CA_BASE64: $ca\"\nto=$(kubectl get secret $as -n MYNS -o jsonpath='{.data.token}'|base64 -d) \u0026\u0026 echo \"K8S_SA_TOKEN: $to\"\n```\n\nRemember to store both `K8S_CA_BASE64` \u0026 `K8S_SA_TOKEN` in your Git repository [*Encrypted secrets*](https://docs.github.com/en/actions/security-guides/encrypted-secrets) or [*Environment secrets*](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets).\n\n## Inputs\n\nID | Type | Default | Description\n--- | --- | --- | ---\n`server` | String | *Required input* | K8s cluster API server URL\n`ca-base64` | String  | *Required input* | K8s cluster Certificate Authority data base64\n`cluster` | String | Host part of `server` | K8s cluster name in kubeconfig file\n`token` | String | *Required input* | Service Account bearer token\n`sa` | String | `sa` | Service Account name in kubeconfig file\n`context` | String | `\u003csa\u003e@\u003ccluster\u003e` | Context name in kubeconfig file\n`namespace` | String | `\u003cempty\u003e` | Context namespace in kubeconfig file\n`current` | Bool | `true` | Set as current-context in kubeconfig file\n`kubeconfig` | String | `\u003crunner.temp\u003e/\u003ccontext\u003e.kubeconfig` | Path of kubeconfig file\n`export` | Bool | `true` | Set the KUBECONFIG environment variable available to subsequent steps\n`version` | Bool | `true` | Show client and server version information for the current context\n\n## Outputs\n\nID | Type | Description\n--- | --- | ---\n`context` | String | Context name in kubeconfig file\n`kubeconfig` | String | Path of kubeconfig file","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvbem%2Fkubeconfig4sa","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvbem%2Fkubeconfig4sa","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvbem%2Fkubeconfig4sa/lists"}