Client scripts

If you run a script on your own machine that connects to kubernetes (either by using kubectl or directly), you should avoid using the config file provided by the portal, since token refresh doesn't work in concurrent runs. Instead you should create a service account in your namespace and connect using the token generated by kubernetes.

All further actions can only be done by a namespace admin. If you have a user status, ask your admin to do this.

To create a service account, run:

kubectl create serviceaccount <service-account-name>

Replace <service-account-name> with desired name.

Note: In the previous kubernetes versions, the above command also created a token in a secret object. (As of 8/16/2023, the server version is v1.25.12.) But this is no longer the case, see here.

Run the following command to create a token:

kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: <service-account-name>-secret
  annotations:
    kubernetes.io/service-account.name: <service-account-name>
type: kubernetes.io/service-account-token
EOF

Retrive the token using the following commands:

TOKEN=`kubectl get secret <service-account-name>-secret -o jsonpath='{.data.token}'| base64 --decode` 
echo $TOKEN

After that COPY your current OIDC config file, and add the new user instead of the current one. We assume that .kube is located in the current directory, often it is the user's home directory ~.

cp .kube/config .kube/config_sa
kubectl --kubeconfig=.kube/config_sa config unset users.$(kubectl --kubeconfig=.kube/config_sa config view -o jsonpath='{.users[0].name}')
kubectl --kubeconfig=.kube/config_sa config set-credentials <service-account-name> --token=$TOKEN
kubectl --kubeconfig=.kube/config_sa config set-context --current --user=<service-account-name>
kubectl --kubeconfig=.kube/config_sa config view

Note: You may need to remove more than one user if your config contains more than one user.

Now you need to let the service account act on behalf of user. To do this, run:

kubectl create rolebinding <service-account-name>-sa --clusterrole=<admin OR edit> --serviceaccount=<namespace>:<service-account-name>

Namespace admins have the admin role, and users typically have the edit role, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles.

Now check if you can list pods:

kubectl --kubeconfig=.kube/config_sa get pods

(You can also set the environmental variable $KUBECONFIG with the location of your config file for the script)

To delete the service account, run:

kubectl delete rolebinding <service-account-name>-sa
kubectl delete serviceaccount <service-account-name>
rm .kube/config_sa

Note: The secret will be automatically removed by running kubectl delete serviceaccount.

Another guide how to do this