Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/vbem/kubeconfig4sa
An action generates Kubernetes kubeconfig file for service account
https://github.com/vbem/kubeconfig4sa
actions bearer-token context k8s kubeconfig kubectl kubernetes sa service-account
Last synced: about 10 hours ago
JSON representation
An action generates Kubernetes kubeconfig file for service account
- Host: GitHub
- URL: https://github.com/vbem/kubeconfig4sa
- Owner: vbem
- License: apache-2.0
- Created: 2022-04-01T15:01:47.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2023-10-21T07:21:38.000Z (about 1 year ago)
- Last Synced: 2024-11-15T01:40:25.323Z (5 days ago)
- Topics: actions, bearer-token, context, k8s, kubeconfig, kubectl, kubernetes, sa, service-account
- Homepage: https://github.com/marketplace/actions/kubeconfig-for-service-account-sa
- Size: 28.3 KB
- Stars: 4
- Watchers: 1
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: .github/CODEOWNERS
Awesome Lists containing this project
README
[](https://github.com/vbem/kubeconfig4sa/actions/workflows/test.yml)
[](https://github.com/vbem/kubeconfig4sa/actions/workflows/linter.yml)
[](https://github.com/vbem/kubeconfig4sa/releases)
[](https://github.com/marketplace/actions/kubeconfig-for-service-account-sa)
## About
This action can be used to generate [*kubeconfig file*](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) for [Kubernetes native *Service Accounts* (SA)](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/).
It's advised to use **Kubernetes native SA** for deployment workflows rather than cloud provider's User accounts because:
- User accounts are for humans. Service accounts are for processes.
- User accounts are intended to be global. Names must be unique across all namespaces of a cluster. Service accounts are namespaced.
- Typically, a cluster's user accounts might be synced from a corporate database or cloud IAM, where new user account creation requires special privileges and is tied to complex business processes. Service account creation is intended to be more lightweight, allowing cluster users to create service accounts for specific tasks by following the principle of least privilege.
Meanwhile, as mentioned in GitHub official document: [**Never use structured data as a secret**](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-secrets). Put base64 content of whole *kubeconfig file* into a GitHub secret can cause secret redaction within logs to fail! Instead, create individual secrets for each sensitive value, such as *CA data* of cluster & *bearer token* of service account.
## Example usage
```yaml
- name: Setup KUBECONFIG
uses: vbem/kubeconfig4sa@v1
with:
server: https://your-kubeapi-server:6443
ca-base64: ${{ secrets.K8S_CA_BASE64 }}
token: ${{ secrets.K8S_SA_TOKEN }}
namespace: MYNS
- name: Deploy K8s manifest files
run: kubectl apply -f .
```
## SA preparation
Assuming you need to create a service account `deployer` for namespace `MYNS`, and then deploy K8s manifest files via this action.
First, you may need to [create a SA](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens) in you K8s cluster:
```shell
kubectl create sa deployer -n MYNS
```
Then, [grant particular permissions](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#service-account-permissions) to this SA:
```shell
kubectl create rolebinding deployer --clusterrole=cluster-admin --serviceaccount=MYNS:deployer
```
After that, extract *Certificate Authority base64 data* & *bearer token* from [*associated secret* of this SA](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens):
```shell
as=$(kubectl get sa deployer -n MYNS -o jsonpath='{.secrets[0].name}') && echo "associated secret: $as"
ca=$(kubectl get secret $as -n MYNS -o jsonpath='{.data.ca\.crt}') && echo "K8S_CA_BASE64: $ca"
to=$(kubectl get secret $as -n MYNS -o jsonpath='{.data.token}'|base64 -d) && echo "K8S_SA_TOKEN: $to"
```
Remember to store both `K8S_CA_BASE64` & `K8S_SA_TOKEN` in your Git repository [*Encrypted secrets*](https://docs.github.com/en/actions/security-guides/encrypted-secrets) or [*Environment secrets*](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets).
## Inputs
ID | Type | Default | Description
--- | --- | --- | ---
`server` | String | *Required input* | K8s cluster API server URL
`ca-base64` | String | *Required input* | K8s cluster Certificate Authority data base64
`cluster` | String | Host part of `server` | K8s cluster name in kubeconfig file
`token` | String | *Required input* | Service Account bearer token
`sa` | String | `sa` | Service Account name in kubeconfig file
`context` | String | `@` | Context name in kubeconfig file
`namespace` | String | `` | Context namespace in kubeconfig file
`current` | Bool | `true` | Set as current-context in kubeconfig file
`kubeconfig` | String | `/.kubeconfig` | Path of kubeconfig file
`export` | Bool | `true` | Set the KUBECONFIG environment variable available to subsequent steps
`version` | Bool | `true` | Show client and server version information for the current context
## Outputs
ID | Type | Description
--- | --- | ---
`context` | String | Context name in kubeconfig file
`kubeconfig` | String | Path of kubeconfig file