This guide provides instructions for operators on deploying and managing the k8s-token bundle. This bundle is designed to deploy into a Kubernetes cluster, creating the necessary resources to manage namespace-specific access through a token. For more information on Kubernetes RBAC, check the Kubernetes docs.
The k8s-token bundle automates the creation of the following Kubernetes resources in the specified namespace:
Role
: Defines the permissions for the token.RoleBinding
: Binds the Role to a ServiceAccount.ServiceAccount
: Provides the identity for the token.Secret
: Stores the token securely.
This will result in a long-lived bearer token with the specified permissions. This token is available for download in kubeconfig
format (see the Massdriver docs for more info), which provides an easy path for granting narrowly scoped permissions to a Kubernetes Cluster to other engineers. Additionally, it can be used within Massdriver as a remote reference to narrow the scope of permissions of a Kubernetes cluster.
To verify that resources were created correctly, run the following commands in the Kubernetes cluster:
kubectl get role,rolebinding,serviceaccount,secret -n <namespace>
If the token needs to be rotated:
- Decommission the bundle in Massdriver
- Redeploy the bundle in Massdriver.
To update the permissions for the token:
- Modify the Role definition in the bundle configuration.
- Redeploy the bundle.
To remove the resources created by this bundle:
- Decommission the bundle in Massdriver