GitHub Action
KUBECONFIG for Service Account (SA)
This action can be used to generate kubeconfig file for Kubernetes native Service Accounts (SA).
It's advised to use Kubernetes native SA for deployment workflows rather than cloud provider's User accounts because:
- User accounts are for humans. Service accounts are for processes.
- User accounts are intended to be global. Names must be unique across all namespaces of a cluster. Service accounts are namespaced.
- Typically, a cluster's user accounts might be synced from a corporate database or cloud IAM, where new user account creation requires special privileges and is tied to complex business processes. Service account creation is intended to be more lightweight, allowing cluster users to create service accounts for specific tasks by following the principle of least privilege.
Meanwhile, as mentioned in GitHub official document: Never use structured data as a secret. Put base64 content of whole kubeconfig file into a GitHub secret can cause secret redaction within logs to fail! Instead, create individual secrets for each sensitive value, such as CA data of cluster & bearer token of service account.
- name: Setup KUBECONFIG
uses: vbem/kubeconfig4sa@v1
with:
server: https://your-kubeapi-server:6443
ca-base64: ${{ secrets.K8S_CA_BASE64 }}
token: ${{ secrets.K8S_SA_TOKEN }}
namespace: MYNS
- name: Deploy K8s manifest files
run: kubectl apply -f .
Assuming you need to create a service account deployer
for namespace MYNS
, and then deploy K8s manifest files via this action.
First, you may need to create a SA in you K8s cluster:
kubectl create sa deployer -n MYNS
Then, grant particular permissions to this SA:
kubectl create rolebinding deployer --clusterrole=cluster-admin --serviceaccount=MYNS:deployer
After that, extract Certificate Authority base64 data & bearer token from associated secret of this SA:
as=$(kubectl get sa deployer -n MYNS -o jsonpath='{.secrets[0].name}') && echo "associated secret: $as"
ca=$(kubectl get secret $as -n MYNS -o jsonpath='{.data.ca\.crt}') && echo "K8S_CA_BASE64: $ca"
to=$(kubectl get secret $as -n MYNS -o jsonpath='{.data.token}'|base64 -d) && echo "K8S_SA_TOKEN: $to"
Remember to store both K8S_CA_BASE64
& K8S_SA_TOKEN
in your Git repository Encrypted secrets or Environment secrets.
ID | Type | Default | Description |
---|---|---|---|
server |
String | Required input | K8s cluster API server URL |
ca-base64 |
String | Required input | K8s cluster Certificate Authority data base64 |
cluster |
String | Host part of server |
K8s cluster name in kubeconfig file |
token |
String | Required input | Service Account bearer token |
sa |
String | sa |
Service Account name in kubeconfig file |
context |
String | <sa>@<cluster> |
Context name in kubeconfig file |
namespace |
String | <empty> |
Context namespace in kubeconfig file |
current |
Bool | true |
Set as current-context in kubeconfig file |
kubeconfig |
String | <runner.temp>/<context>.kubeconfig |
Path of kubeconfig file |
export |
Bool | true |
Set the KUBECONFIG environment variable available to subsequent steps |
version |
Bool | true |
Show client and server version information for the current context |
ID | Type | Description |
---|---|---|
context |
String | Context name in kubeconfig file |
kubeconfig |
String | Path of kubeconfig file |