Create cluster role binding for remote access

Published by Jeff Masud on

Create cluster role binding for remote access

Kubernetes

Kubernetes is an open-source container-orchestration system for automating deployment, scaling and management of containers.  Allowing for role based permissions to access and control the cluster or individual namespaces.

Using Kubectl on your local desktop allows you to have remote access to a cluster to deploy and manage pods, for setting up kubectl on your local workstation see my previous posting.

Create Cluster Admin Binding

Since I’m the administrator of the cluster, I need to setup a cluster role that allows remote access so I can fully manage the cluster without needing to log into the cluster over ssh.  These are the step to go through to create an account, and retrieve the token to be used locally on my workstation.

First I’m going to create a service account for myself

[root@kubadm1 ~]# kubectl create serviceaccount jeffmasud
serviceaccount "jeffmasud" created

One thing to keep in mind when doing this, I’m creating the service account in the Default namespace.  You can specify another namespace if need.

Next I’m going to view the yaml from my service account to see that is was created along with a secret which contains the a token.

[root@kubadm1 ~]# kubectl get serviceaccounts jeffmasud -o yaml
[root@kubadm1 ~]# kubectl get secret jeffmasud-token-rdc5j -o yaml

Now that we verified it’s successfully created, I want to create a binding for my service account to the cluster admin to give me access to manage the cluster.

[root@kubadm1 ~]# kubectl create clusterrolebinding jeffmasud-cluster-admin-binding --clusterrole=cluster-admin --serviceaccount=default:jeffmasud

Now the setup on the server cluster is completed.  We now can run a command to retrieve my token, and use that to continue setup of my local kubectl config on my workstation.

[root@kubadm1 ~]# kubectl describe secret $(kubectl get secret | awk '/^jeffmasud-token-/{print $1}') | awk '$1=="token:"{print $2}'

This will output the token.

Now continue with the local workstation setup, using my previous blog.

Categories: Kubernetes
Tags:

Related Posts

Ceph

Rook-Ceph crush map has legacy tunables (require firefly, min is hammer)

Share Tweet Share Email Rook-Ceph crush map has legacy tunables (require firefly, min is hammer) Rook-Ceph Rook turns distributed storage systems into self-managing, self-scaling, self-healing storage services using Ceph. It automates the tasks of a Read more…

Kubernetes

Kubernetes 1.11 API certificate expired

Share Tweet Share Email Kubernetes 1.11 API certificate expired Kubernetes What is Kubernetes?  Kubernetes is an open-source orchestration software for deploying, managing, and scaling containerized workloads on a cluster of servers.  Those servers can be Read more…

Centos

Kubernetes error: namespaces “gitlab-managed-apps” is forbidden: User “system:serviceaccount:gitlab-managed-apps:gitlab-sa” cannot get namespaces in the namespace “gitlab-managed-apps”

Share Tweet Share Email Kubernetes error: namespaces “gitlab-managed-apps” is forbidden: User “system:serviceaccount:gitlab-managed-apps:gitlab-sa” cannot get namespaces in the namespace “gitlab-managed-apps” Updated 9/19/2018: Please take a look at this article, one of my co-workers explains Microservices Workflow Read more…