circle ciからkubernetesを操作するアカウントの作成

kubernetes

ServiceAccount

circle ciからkubernetesを操作するアカウントの作成

admin権限での操作は危険とのことで特定のサービスのみ利用できるkubernetesアカウントを作成する

https://www.digitalocean.com/community/tutorials/how-to-automate-deployments-to-digitalocean-kubernetes-with-circleci

environment

  • kubernetes
    • v1.28.2
  • namespace
    • doks-wp

アカウントの作成

_PROJECTNAME=doks-wp
cd ~/work/$_PROJECTNAME
cat <<__EOF__>prod/k8s/cicd-service-account.yml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cicd
  namespace: $_PROJECTNAME
__EOF__

token は自動で作成されなくなっているので公式を参考にします。

https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

cat <<__EOF__>prod/k8s/cicd-service-account-token.yml
apiVersion: v1
kind: Secret
metadata:
  name: cicd-secret
  namespace: $_PROJECTNAME
  annotations:
    kubernetes.io/service-account.name: cicd
type: kubernetes.io/service-account-token
__EOF__
kubectl apply -f prod/k8s/cicd-service-account.yml
kubectl get secret -A|grep cicd

doks-wp cicd-secret kubernetes.io/service-account-token 3 10s

kubectl get serviceaccount cicd -n doks-wp

NAME SECRETS AGE cicd 0 12m

kubectl describe secret/cicd-secret -n doks-wp

Name: cicd-secret Namespace: doks-wp Labels: Annotations: kubernetes.io/service-account.name: cicd kubernetes.io/service-account.uid: ace91e33-6044-4407-b19b-06abdf127544

Type: kubernetes.io/service-account-token

Data

ca.crt: 1155 bytes namespace: 7 bytes token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

token情報の取得

TOKEN=`kubectl get secret/cicd-secret -n $_PROJECTNAME -o jsonpath='{.data.token}' | base64 --decode`

roleの割当

cat <<__EOF__>prod/k8s/cicd-service-account-role.yml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cicd
  namespace: $_PROJECTNAME
rules:
  - apiGroups: ["", "apps", "batch", "extensions"]
    resources: ["deployments", "services", "replicasets", "pods", "jobs", "cronjobs"]
    verbs: ["*"]
__EOF__
kubectl apply -f prod/k8s/cicd-service-account-role.yml
cat <<__EOF__>prod/k8s/cicd-service-account-role-binding.yml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cicd
  namespace: $_PROJECTNAME
subjects:
  - kind: ServiceAccount
    name: cicd
    namespace: $_PROJECTNAME
roleRef:
  kind: Role
  name: cicd
  apiGroup: rbac.authorization.k8s.io
__EOF__
kubectl apply -f prod/k8s/cicd-service-account-role-binding.yml

動作確認

KUBERNETES_SERVER=`grep server\: ~/.kube/config | awk '{print $2}'`

リストOK

kubectl --insecure-skip-tls-verify --kubeconfig="/dev/null" --server=$KUBERNETES_SERVER --token=$TOKEN get pods -n $_PROJECTNAME

NAME READY STATUS RESTARTS AGE doks-wp-prod-web-848dd47496-5k4mm 1/1 Running 0 2d21h doks-wp-prod-web-848dd47496-f6ksl 1/1 Running 0 2d21h

execでログインできないことを確認

kubectl --insecure-skip-tls-verify --kubeconfig="/dev/null" --server=$KUBERNETES_SERVER --token=$TOKEN  -n $_PROJECTNAME exec -ti doks-wp-prod-web-848dd47496-5k4mm -- /bin/bash

Error from server (Forbidden): pods "doks-wp-prod-web-848dd47496-5k4mm" is forbidden: User "system:serviceaccount:doks-wp:cicd" cannot create resource "pods/exec" in API group "" in the namespace "doks-wp"

$_PROJECTNAMEのnamespaceのもののみ見れることを確認

kubectl --insecure-skip-tls-verify --kubeconfig="/dev/null" --server=$KUBERNETES_SERVER --token=$TOKEN get nodes

Error from server (Forbidden): nodes is forbidden: User "system:serviceaccount:doks-wp:cicd" cannot list resource "nodes" in API group "" at the cluster scope

前の記事 次の記事