Create cluster role binding for remote access


Kubernetes is an open-source container-orchestration system for automating deployment, scaling and management of containers.  Allowing for role based permissions to access and control the cluster or individual namespaces.

Using Kubectl on your local desktop allows you to have remote access to a cluster to deploy and manage pods, for setting up kubectl on your local workstation see my previous posting.

Create Cluster Admin Binding

Since I’m the administrator of the cluster, I need to setup a cluster role that allows remote access so I can fully manage the cluster without needing to log into the cluster over ssh.  These are the step to go through to create an account, and retrieve the token to be used locally on my workstation.

First I’m going to create a service account for myself

[root@kubadm1 ~]# kubectl create serviceaccount jeffmasud
serviceaccount "jeffmasud" created

One thing to keep in mind when doing this, I’m creating the service account in the Default namespace.  You can specify another namespace if need.

Next I’m going to view the yaml from my service account to see that is was created along with a secret which contains the a token.

[root@kubadm1 ~]# kubectl get serviceaccounts jeffmasud -o yaml
[root@kubadm1 ~]# kubectl get secret jeffmasud-token-rdc5j -o yaml

Now that we verified it’s successfully created, I want to create a binding for my service account to the cluster admin to give me access to manage the cluster.

[root@kubadm1 ~]# kubectl create clusterrolebinding jeffmasud-cluster-admin-binding --clusterrole=cluster-admin --serviceaccount=default:jeffmasud

Now the setup on the server cluster is completed.  We now can run a command to retrieve my token, and use that to continue setup of my local kubectl config on my workstation.

[root@kubadm1 ~]# kubectl describe secret $(kubectl get secret | awk '/^jeffmasud-token-/{print $1}') | awk '$1=="token:"{print $2}'

This will output the token.

Now continue with the local workstation setup, using my previous blog.