Why, Scott, WHY?!?

How to use Kubernetes Namespaces and Service Accounts for Fun and Profit

We’ll create a namespace named funland and show how to use a token to access it.

Create a Namespace

kubectl create namespace funland

Create a Service Account

This creates a new service account, an “owner” role, and assigns the owner to the new service account and to the default service account.

kubectl -n funland apply -f- <<YAML
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: funland-sa
  namespace: funland
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: funland-owner
  namespace: funland
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: funland-binding
  namespace: funland
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: funland-owner
subjects:
- kind: ServiceAccount
  name: default
  namespace: funland
- kind: ServiceAccount
  name: funland-sa
  namespace: funland
YAML

Get the token for the team

# Step by Step
SECRET_NAME=$(kubectl -n funland get secrets | awk '/funland-sa/ {print $1}')

TOKEN=$(kubectl -n funland get secrets ${SECRET_NAME} -o jsonpath='{.data.token}' | base64 --decode)

# ** OR ** All at once
TOKEN=$(kubectl -n funland get secrets $(kubectl -n funland get secrets | awk '/funland-sa/ {print $1}') -o jsonpath='{.data.token}' | base64 --decode)

Use the Token from another host

The $TOKEN variable is confidential and should be treated with care. Transfer it carefully to the target client or user.

kubectl config set-credentials funland-sa --token="${TOKEN}"
kubectl config set-cluster funland --server=https://1.2.3.4 --insecure-skip-tls-verify
kubectl config set-context funland --user funland-sa --cluster funland --namespace=funland
kubectl config use-context funland

Take it for a Spins

Verify it has nothing installed

kubectl get all

Check the weather from inside namespace

kubectl run weather --rm -it --restart='Never' --image curlimages/curl -- wttr.in

Add Certificate Authority

Get certificate-authority-data from the cluster entry for the target server.

kubectl config view --flatten --minify

Edit ~/.kube/config and replace insecure-skip-tls-verify with the certificate-authority-data from the previous step.

We could use the --certificate option in kubectl config set-cluster, but we find this is easier than juggling additional variables.

Here is the kubectl config set-cluster method:

kubectl config set-cluster funland --server=https://1.2.3.4 --certificate-authority="${CERT_CA_DATA}"

Cleanup

kubectl delete namespace funland

kubectl config delete-context funland

kubectl config delete-cluster funland

kubectl config delete-user funland-sa