Configuring Service Account tokens to a Kubeconfig file – Way to Automation and Pipelines

Filed Under: Random
Configuring Service Account Tokens To A Kubeconfig File

Hello, readers!! This article talks about Configuring Service Account tokens to a kubeconfig file as a way for automation and Pipelines in use.

So, let us begin!! 馃檪

Why configure service account tokens to a kubeconfig file?

When we provision a Kubernetes cluster, it is obvious that the users will be accessing the cluster locally that is through their local workstations.

For the same, when the cluster is up, a kubeconfig file helps users authenticate themselves. This kind of authentication is of great help when it comes to accessing the cluster locally.

However, this kind of authentication through kubeconfig does not help us when we want to have automation through CI/CD pipelines or Kubernetes cronjobs. The authentication token is temporary and cluster-specific while automation solutions require long-lasting and generic tokens.

For the same, we have the concept of Configuring service account tokens to a kubeconfig file.

Yes, a Kubernetes Service accounts for authentication and use in CI/CD pipelines is one of the best practices. A Kubernetes service account associates itself with an authentication token that gets saved as a secret.

We can utilize the token of this service account to authenticate with the cluster. Post which we can then run automated pipelines or cronjobs. With this, the token stays safe in the secret and it does not need recreation.

Now, we will be having a look at the practical way of setting up service account tokens through kubeconfig files.

Steps to configure service account tokens to a kubeconfig file

At first, we will be needing a service account in the namespace where we want our workloads to be deployed.

Have a look at the below command-

kubectl -n demo_ns create serviceaccount <service-account-name>

Once the service account gets created, we need to give the necessary permissions to the cluster.

On a generic level, in the context of this topic, we will be providing a cluster-admin role to the service account as shown-

kubectl create clusterrolebinding <clusterrole-binding-name> --clusterrole=cluster-admin --serviceaccount=namespace_name:<service-account-name>

Now, we will be fetching the secret name configured for the service account using the below JSON command-

Secret_name=`kubectl -n namespace_name get serviceaccount/<service-account-name> -o jsonpath='{.secrets[0].name}'`

It returns a secret name associated with the service account within the namespace. We then store it into a local variable for further use.

Having said that, we now pass the secret name to the below command to fetch the authentication token and store it into a variable.

TOKEN=`kubectl -n namespace_name get secret $Secret_name -o jsonpath='{.data.token}'| base64 --decode`

Now, the variable TOKEN contains the authentication token of the service account in an encoded format.

As now we have our token with us, we need to make an entry of it in the kubeconfig file. For the same, we make use of the token to set the credentials with the service account-user:

kubectl config set-credentials <service-account-name> --token=$TOKEN

This makes an entry in the kubeconfig file stored at the ./kube folder in the root directory. And it makes the defined service account one of the users in the list of users defined in the kubeconfig file.

Finally, we set the current context to the service account user specified above.

kubectl config set-context --current --user=<service-account-name>

And now is the time to cross-check if the service account is able to perform the tasks in cognition with the role set.

Run kubectl get pods or kubectl auth can-i get pods –as service_account_name to know if the access is in the right manner

We can then utilize the same kubeconfig file in the containers to run a Kubernetes cronjob. Also, we can include the kubeconfig as a secret to be used in the CI/CD pipeline.


By this, we have reached the end of this topic. Feel free to comment below, in case you come across any questions.

For more such posts related to Kubernetes, Stay tuned with us.

Till then, Keeping Learning and Happy Analyzing!! 馃檪

Leave a Reply

Your email address will not be published. Required fields are marked *

Generic selectors
Exact matches only
Search in title
Search in content