Search code examples
kubectlazure-akskubeconfig

kubectl with custom kubeconfig file for a serviceaccount gives unauthorized error

I created a serviceaccount and created a kubeconfig for that service account, but when I ran kubectl --kubeconfig=sa.kubeconfig get nodes or get pods I first got the error: > error: You must be logged in to the server (Unauthorized).
And now I get the message error: the server doesn't have a resource type "svc".

This is the yaml file to create the sa, role and rolebinding 

apiVersion: v1
kind: ServiceAccount
metadata:
  name: default-user
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: default-user
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: default-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: default-user
subjects:
- namespace: default
  kind: ServiceAccount
  name: default-user

I then created the kubeconfig file for the service account.

# your server name goes here
server=https://<server.hcp.westeurope.azmk8s.io:443>
# the name of the secret containing the service account token goes here
name=<default-user-token>

ca=$(kubectl get secret/$name -o jsonpath='{.data.ca\.crt}')
token=$(kubectl get secret/$name -o jsonpath='{.data.token}' | base64)
namespace=$(kubectl get secret/$name -o jsonpath='{.data.namespace}' | base64)

echo "
apiVersion: v1
kind: Config
clusters:
- name: default-cluster
  cluster:
    certificate-authority-data: ${ca}
    server: ${server}
contexts:
- name: default-context
  context:
    cluster: default-cluster
    namespace: default
    user: default-user
current-context: default-context
users:
- name: default-user
  user:
    token: ${token}
" > sa.kubeconfig

Anybody see what I am doing wrong?

Solution

  • This is the correct way to create a config file for a serviceaccount:

    # your server name goes here
server=https://<server.hcp.westeurope.azmk8s.io:443>
# the name of the secret containing the service account token goes here
name=<default-user-token>

ca=$(kubectl get secret/$name -o jsonpath='{.data.ca\.crt}')
token=$(kubectl get secret/$name -o jsonpath='{.data.token}' | base64 -d)
namespace=$(kubectl get secret/$name -o jsonpath='{.data.namespace}' | base64 -d)

echo "
apiVersion: v1
kind: Config
clusters:
- name: default-cluster
  cluster:
    certificate-authority-data: ${ca}
    server: ${server}
contexts:
- name: default-context
  context:
    cluster: default-cluster
    namespace: ${namespace}
    user: default-user
current-context: default-context
users:
- name: default-user
  user:
    token: ${token}
" > sa.kubeconfig