Permanent karbon kubeconfig file

  • 25 June 2021
  • 4 replies
  • 906 views

If you are annoyed, as myself, about renewing the kubeconfig every 24 hours, i’ve created a simple script that generates a permanent kubeconfig file without expiration.

This script makes sense, obviously, if you have more than 1 karbon cluster to manage.

#!/bin/bash
if [ -n "$1" ]; then
        echo Cluster name: $1.
else
        echo "No cluster name has been specified. "
    exit 1
fi
kubectl create serviceaccount --namespace kube-system superuser
kubectl create clusterrolebinding superuser-rule --clusterrole=cluster-admin --serviceaccount=kube-system:superuser

A=$(kubectl -n kube-system describe secret/$(kubectl -n kube-system get sa/superuser -o jsonpath='{.secrets[0].name}')|awk '{for(i=1;i<=NF;i++)if($i=="token:")print $(i+1)}')
B=$(kubectl config view --flatten --minify|awk '{for(i=1;i<=NF;i++)if($i=="certificate-authority-data:")print $(i+1)}')
C=$(kubectl config view --flatten --minify|awk '{for(i=1;i<=NF;i++)if($i=="server:")print $(i+1)}')
D=$(kubectl config view --flatten --minify|awk '{for(i=1;i<=NF;i++)if($i=="name:")print $(i+1)}'|head -1)

cat <<EOF >kubeconfig.$1
apiVersion: v1
kind: Config
users:
- name: superuser
  user:
    token: $A
clusters:
- cluster:
    certificate-authority-data: $B
    server: $C
  name: $D
contexts:
- context:
    cluster: $D
    user: superuser
  name: $D-context
current-context: $D-context
EOF

 

The script can be improved in many ways so keep it as is and do whatever you want 🙂, don’t ask for support :)

Hope it helps


This topic has been closed for comments

4 replies

Userlevel 4
Badge +5

Hi Alan C,

Thank you for your contribution. You may want to have a look to this repo and give it a try https://github.com/nutanix/kubectl-karbon

I see but it still requires an authentication as far as i can see. We’ve something similar using karbonctl. Does the config still expire after 24 hours? This is not very handy if you want to manage all your clusters with products like k8slens for example, the config still expires.

Userlevel 4
Badge +5

Yes, it will expire. The plugin streamline the token refresh. It’s a matter of security, just be aware of the risk having a service account with a token that doesn’t expire.

Have a look to https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuration where you could use EXEC with lens and the plugin. I haven’t tested. 

Yes sure i know and i’ve discussed it many times with engineering and PMs, but security has to balance with usability, IMHO. :) .

When you have to manage a huge number of clusters this “security” feature is a nightmare, as much as the inability to ssh to cluster nodes without getting a token from PC.