How to create a Kubernetes monitoring account

This knowledgebase article will show you how to create a monitoring account in Kubernetes for the Opslogix Kubernetes Management Pack

Copy the following yml into a text file and save as .yml extension, for example opslogix_monitoring.yml

# opslogix-serviceaccount.yml
---
apiVersion: v1
kind: Namespace
metadata:
name: opslogix-monitoring
labels:
kubernetes.io/metadata.name: opslogix-monitoring
---
apiVersion: v1
kind: Secret
metadata:
name: opslogix-monitoring-serviceaccount-token
namespace: opslogix-monitoring
annotations:
kubernetes.io/service-account.name: opslogix-monitoring-serviceaccount
type: kubernetes.io/service-account-token
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: opslogix-monitoring-serviceaccount
namespace: opslogix-monitoring
secrets:
- name: opslogix-monitoring-serviceaccount-token
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: opslogix-monitoring-clusterrole
rules:
- verbs:
- get
- watch
- list
apiGroups:
- '*'
resources:
- '*'
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: opslogix-monitoring-clusterrolebinding
subjects:
- kind: ServiceAccount
name: opslogix-monitoring-serviceaccount
namespace: opslogix-monitoring
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: opslogix-monitoring-clusterrole

 

After creating the yml file, you can use kubectl to deploy the monitoring account sepcified in the yml file by using:

kubectl apply -f [filename].yaml

 

To generate the kubernetes config file, copy the script code below into a file and save it as a shell script (.sh extension), now run the script.

# Update these to match your environment
SERVICE_ACCOUNT_NAME=opslogix-monitoring-serviceaccount
CONTEXT=$(kubectl config current-context)
NAMESPACE=opslogix-monitoring

NEW_CONTEXT=opslogix-monitoring-serviceaccount
KUBECONFIG_FILE="kubeconfig-opslogix-sa"

SECRET_NAME=$(kubectl get serviceaccount ${SERVICE_ACCOUNT_NAME} \
--context ${CONTEXT} \
--namespace ${NAMESPACE} \
-o jsonpath='{.secrets[0].name}')
TOKEN_DATA=$(kubectl get secret ${SECRET_NAME} \
--context ${CONTEXT} \
--namespace ${NAMESPACE} \
-o jsonpath='{.data.token}')

TOKEN=$(echo ${TOKEN_DATA} | base64 -d)

# Create dedicated kubeconfig
# Create a full copy
kubectl config view --raw > ${KUBECONFIG_FILE}.full.tmp
# Switch working context to correct context
kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp config use-context ${CONTEXT}
# Minify
kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp \
config view --flatten --minify > ${KUBECONFIG_FILE}.tmp
# Rename context
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
rename-context ${CONTEXT} ${NEW_CONTEXT}
# Create token user
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
set-credentials ${SERVICE_ACCOUNT_NAME} \
--token ${TOKEN}
# Set context to use token user
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
set-context ${NEW_CONTEXT} --user ${SERVICE_ACCOUNT_NAME}
# Set context to correct namespace
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
set-context ${NEW_CONTEXT} --namespace ${NAMESPACE}
# Flatten/minify kubeconfig
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
view --flatten --minify > ${KUBECONFIG_FILE}
# Remove tmp
rm ${KUBECONFIG_FILE}.full.tmp
rm ${KUBECONFIG_FILE}.tmp

$SHELL

You now should have a generated kubernetes configuration file.

source:https://docs.armory.io/armory-enterprise/armory-admin/manual-service-account/