Skip to content

Instantly share code, notes, and snippets.

@curx

curx/steps.md

Created July 29, 2022 09:10
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save curx/c81c311db46c82df7e1513ef0608c4eb to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save curx/c81c311db46c82df7e1513ef0608c4eb to your computer and use it in GitHub Desktop.
Download ZIP
create a serviceaccount, a role and rolebinding to create a kubeconfig for byoh-hostagent
Raw
steps.md

Steps to create a dedicated kubeconfig.yaml for a byoh-host

on kubernetes version < v1.24.x

  1. Create files for the needed resources

  • a kustomize

    ---
# task: used to deploy the role/binding in the right namespace

# the sa, role and rolebinding resources
resources:
- rbac-byoh-register.yml

# the namespace for the byoh objects
namespace: my-cluster

  • the resource

    ---
# task: create role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: byoh-register
rules:
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - get
  - patch
  - update
- apiGroups:
  - ""
#  resourceNames:
#  - cluster1-control-plane-cqmhk # to limit only on a given controlplane
  resources:
  - secrets
  verbs:
  - get
- apiGroups:
  - infrastructure.cluster.x-k8s.io
  resources:
  - byohosts
  verbs:
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - infrastructure.cluster.x-k8s.io
  resources:
  - byohosts
  verbs:
  - create
- apiGroups:
  - infrastructure.cluster.x-k8s.io
  resources:
  - byohosts/status
  verbs:
  - get
  - patch
  - update
---
# task: create rolebinding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: byoh-register
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: byoh-register
subjects:
- kind: ServiceAccount
  name: byoh-register
---
# task: create serviceaccount
apiVersion: v1
kind: ServiceAccount
metadata:
  name: byoh-register
  1. Create the objects on kubernetes via kustomize
kubectl create --kustomize .
  1. used the serviceaccount JWT (aka token value from secret) for byoh-agent and create the dedicated kubeconfig
# set the workload cluster namespace
export WL_NAMESPACE=my-cluster

# get the secret and JWT token from serviceaccount
SA_SECRET="$( kubectl get serviceaccount --namespace ${NAMESPACE} byoh-register -o jsonpath='{ .secrets[0].name }' )"
SA_JWT="$( kubectl get secrets --namespace ${NAMESPACE} ${SA_SECRET} --output go-template='{{ .data.token | base64decode }}' )"
  
# create a credentials in the current kubeconfig
kubectl config set-credentials byoh-hostagent --token=${SA_JWT}
  
# create a context
CLUSTER_NAME=default
kubectl config set-context byoh-agent@workloadcluster \
  --cluster ${CLUSTER_NAME} --user byoh-hostagent --namespace ${WL_NAMESPACE}

# and minify to get only the host-agent settings
kubectl config view --raw --minify \
  byoh-agent@workloadcluster > byoh-hostagent-kubeconfig.yaml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment