Permanent karbon kubeconfig file

  • 25 June 2021
  • 4 replies

If you are annoyed, as myself, about renewing the kubeconfig every 24 hours, i’ve created a simple script that generates a permanent kubeconfig file without expiration.

This script makes sense, obviously, if you have more than 1 karbon cluster to manage.

if [ -n "$1" ]; then
        echo Cluster name: $1.
        echo "No cluster name has been specified. "
    exit 1
kubectl create serviceaccount --namespace kube-system superuser
kubectl create clusterrolebinding superuser-rule --clusterrole=cluster-admin --serviceaccount=kube-system:superuser

A=$(kubectl -n kube-system describe secret/$(kubectl -n kube-system get sa/superuser -o jsonpath='{.secrets[0].name}')|awk '{for(i=1;i<=NF;i++)if($i=="token:")print $(i+1)}')
B=$(kubectl config view --flatten --minify|awk '{for(i=1;i<=NF;i++)if($i=="certificate-authority-data:")print $(i+1)}')
C=$(kubectl config view --flatten --minify|awk '{for(i=1;i<=NF;i++)if($i=="server:")print $(i+1)}')
D=$(kubectl config view --flatten --minify|awk '{for(i=1;i<=NF;i++)if($i=="name:")print $(i+1)}'|head -1)

cat <<EOF >kubeconfig.$1
apiVersion: v1
kind: Config
- name: superuser
    token: $A
- cluster:
    certificate-authority-data: $B
    server: $C
  name: $D
- context:
    cluster: $D
    user: superuser
  name: $D-context
current-context: $D-context


The script can be improved in many ways so keep it as is and do whatever you want 🙂, don’t ask for support :)

Hope it helps

This topic has been closed for comments

4 replies

Userlevel 4
Badge +5

Hi Alan C,

Thank you for your contribution. You may want to have a look to this repo and give it a try

I see but it still requires an authentication as far as i can see. We’ve something similar using karbonctl. Does the config still expire after 24 hours? This is not very handy if you want to manage all your clusters with products like k8slens for example, the config still expires.

Userlevel 4
Badge +5

Yes, it will expire. The plugin streamline the token refresh. It’s a matter of security, just be aware of the risk having a service account with a token that doesn’t expire.

Have a look to where you could use EXEC with lens and the plugin. I haven’t tested. 

Yes sure i know and i’ve discussed it many times with engineering and PMs, but security has to balance with usability, IMHO. :) .

When you have to manage a huge number of clusters this “security” feature is a nightmare, as much as the inability to ssh to cluster nodes without getting a token from PC.