Create kubeconfig for GitHub Actions #19
Comments
|
List API Resources # kubectl api-resources --api-group=batch -o wide
kubectl api-resources -o wide | grep -e 'namespace\|NAME' -e job
NAME SHORTNAMES APIVERSION NAMESPACED KIND VERBS CATEGORIES
namespaces ns v1 false Namespace create,delete,get,list,patch,update,watch
cronjobs cj batch/v1 true CronJob create,delete,deletecollection,get,list,patch,update,watch all
jobs batch/v1 true Job create,delete,deletecollection,get,list,patch,update,watch allWe may use the following manifest sa-ci.yaml---
apiVersion: v1
kind: Namespace
metadata:
name: cs-codex-dist-tests
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: cs-codex-dist-tests-ci-sa
namespace: cs-codex-dist-tests
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cs-codex-dist-tests-ci-role
namespace: cs-codex-dist-tests
rules:
- apiGroups:
- "*"
resources:
- namespaces
verbs:
- create
- apiGroups:
- batch
resources:
- jobs
verbs:
- get
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cs-codex-dist-tests-ci-role-binding
namespace: cs-codex-dist-tests
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cs-codex-dist-tests-ci-role
subjects:
- kind: ServiceAccount
name: cs-codex-dist-tests-ci-sa
namespace: cs-codex-dist-tests
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: cs-codex-dist-tests-ci-token
namespace: cs-codex-dist-tests
labels:
name: cs-codex-dist-tests
annotations:
kubernetes.io/service-account.name: cs-codex-dist-tests-ci-sakubectl apply -f sa-ci.yamlWhich will create
And we may use the following script to generate a kubeconfig file for created Service Account generate-kubeconfig.sh# Generate KubeConfig for Service Account
# Variables
cluster=cs-codex-dist-tests
server=$(TERM=dumb kubectl cluster-info | awk '/control plane/ {print $NF}')
namespace=cs-codex-dist-tests
name=cs-codex-dist-tests-ci
sa="${name}-sa"
secret="${name}-token"
config="${cluster}-ci-sa.yaml"
ca=$(kubectl get secret "${secret}" -n "${namespace}" -o jsonpath='{.data.ca\.crt}')
token=$(kubectl get secret "${secret}" -n "${namespace}" -o jsonpath='{.data.token}' | base64 -d)
# Output
echo "apiVersion: v1
clusters:
- cluster:
certificate-authority-data: ${ca}
server: ${server}
name: ${cluster}
contexts:
- context:
cluster: ${cluster}
user: ${sa}
name: ${cluster}
current-context: ${cluster}
kind: Config
preferences: {}
users:
- name: ${sa}
user:
token: ${token}" | tee "${config}"And a permissions test for created kubeconfig Now, we can use that kubeconfig with GitHub Actions, which will run the dist-tests by creating Kubernetes Namespaces and Jobs, no more permissions are required. |
|
kubeconfig added to the repository secrets cat cs-codex-dist-tests-ci-sa.yaml | base64 |
|
Job creation via manifest failed until we added rules:
- verbs:
- create
- get
apiGroups:
- batch
resources:
- jobs |
|
We are considering to show Pods logs in GitHub Actions and for that we need some additional permissions. Now it looks the following rules:
- verbs:
- create
apiGroups:
- '*'
resources:
- namespaces
- verbs:
- get
- create
apiGroups:
- batch
resources:
- jobs
- verbs:
- list
- get
apiGroups:
- '*'
resources:
- pods
- verbs:
- get
apiGroups:
- '*'
resources:
- pods/log |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We decided to run tests inside Kubernetes via Job and it means that GitHub Actions will create just a Job inside the cluster.
We can do it via
kubectland manifest with bash variables. As it was discovered during Manual run inside Kubernetes via Job #7, Service Account used for that should have permissions to createFor now, we will run all test from a default namespace, because
The text was updated successfully, but these errors were encountered: