1

I created a Kubernetes cluster for a single-master multi-node cluster using kubeadm following the official kubernetes guide:

Kubernetes cluster

I currently connect my laptop to the cluster via this command:

kubectl get nodes --username kubernetes-admin --kubeconfig ~/.kube/config

However, I now want to add a separate user (or same actual user but different name) for our Jenkins to run commands. I just want a separate username for access/logging purposes.

How can I easily add another "jenkins" username (possibly with its own cert) in the config file? Kubeadm automatically uses --authorization-mode=Node (or at least mine did)

Background info: Only people who may make any changes on our cluster currently have/need access, so I don't need to only give users access to certain namespaces etc. Also, keep in mind we will have a cluster per environment: dev, UAT, production, etc.

Andrew Morton
  • 24,203
  • 9
  • 60
  • 84
warhansen
  • 704
  • 1
  • 8
  • 22
  • you can deploy jenkins using another `namespace` kindly follow this link : https://itnext.io/deploy-jenkins-with-dynamic-slaves-in-minikube-8aef5404e9c1 – chintan thakar Jun 25 '18 at 13:47

1 Answers1

2

It's suitable to use Kubernetes serviceAccount and instruct your Jenkins deployment to use that account (with a bound Role):

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: jenkins
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: jenkins
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: jenkins
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: jenkins
subjects:
- kind: ServiceAccount
  name: jenkins


apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  labels:
    app: jenkins
  name: jenkins
spec:
  replicas: 1
  selector:
    matchLabels:
      app: jenkins
  template:
    metadata:
      labels:
        app: jenkins
    spec:     
      serviceAccountName: jenkins
Nicola Ben
  • 10,615
  • 8
  • 41
  • 65
  • Ok, so 2 things. The Jenkins we use is currently not a pod, it's a VM outside the kubernetes cluster. And how do I go about adding this Service Account if this caters for a non-pod Jenkins. – warhansen Jun 27 '18 at 09:41
  • This also cleared up some things for me: https://stackoverflow.com/questions/48022748/is-there-a-way-to-create-a-token-for-a-normal-user-in-kubernetes – warhansen Jul 02 '18 at 07:57