Creating custom kubeconfig with limited access to K8s cluster

Image Source: Unsplash

In this blog, we will go step by step on how to create a custom kubeconfig file with limited access to Kubernetes cluster using a service account, secret token and RBAC

These are the multiple ways to authenticate with Kubernetes:

  1. X509 Client Certificates
  2. Bearer Tokens
  3. Authentication Proxy
  4. HTTP Basic Authentication
  5. OpenID Connect Tokens
  6. Service Account Tokens — We will be focusing on this method
  7. Webhook Token Authentication

Note: For this demo, I am using AWS EKS cluster, but the same applies to Kubernetes running anywhere. Moreover, this lab assumes that you have access to create, manage and view ClusterRole, Role, ClusterRoleBinding, RoleBinding, ServiceAccount and Secret API resources.

Let’s start with creating a custom RBAC role for our users.

There are two categories of it:

ClusterRole API resource as the name says is used to provide access at Cluster level whereas with Role you can restrict access at the namespace level.

We will create both ClusterRole and Role in this demo for our users Adam and Bill.

Adam is our Senior DevOps Engineer and is working on multiple projects. Hence, will create ClusterRole for him which will not restrict his permission at namespace level but at the resource level.

Bill is a Junior DevOps Engineer who has recently joined the team and is working on the Brown Fox project hence, will create a Role for him to restrict his permission both at namespace and resource level.

ClusterRole for Adam:

Role for Bill:

Let us now bind ClusterRole to Adam using ClusterRoleBinding API resource.

For Bill, we will be using RoleBinding API resource.

We are now required to create Service Account for both Adam and Bill which are attached to their roles we create above.

Service Account for Adam:

Service Account for Bill:

Now we need to create tokens using Secret API resource which will be used in our kubeconfig file.

Secret for Adam:

Secret for Bill:

Finally, let us generate kubeconfig file for Adam and Bill.

Sample File:

We need to replace all the values within curly braces with their actual values, so let’s keep going.

Type the below command to fetch Certificate and Server information:

Copy certificate-authority-data, server and name field from the output and replace them with their respective fields in the sample file.

It’s now time to grab the secret token. Use the following command:

Copy the token value and paste it in the sample file. The kubeconfig file is now complete and should look like this:

Note: You will have to generate a separate kubeconfig file for Bill using his secret.

Note: The actual values are truncated for security reasons.

To test custom kubeconfig file type the following command:

You must receive output with Adam’s kubeconfig file but not with Bill’s kubeconfig file.

Bingo! You have created kubeconfig file for Adam and Bill with limited access to Kubernetes cluster.

Originally published at on December 2, 2019.

Freelancer | Cloud/DevOps | AWS AAI - Champion |