A helper script I use for running kubectl as a service account for GKE clusters. This is only intended for my personal use, but if anyone else happens to find this useful, that would be great.
jq
(OSX users can runbrew install jq
)gcloud
kubectl
(gcloud
users can rungcloud components install kubectl
)
- Copy the contents of the
kube-service-account.sh
script to your~/.zshrc
- Use
gcloud auth activate-service-account
to import service account credentials using a JSON key file - Run
kube-service-account
and select the credentials you want to use - Use
kubectlt
to run any commands yoy normally would under the context of the service account
-
Create a GKE Cluster:
gcloud container clusters create kube-service-account-test \ --project my-project \ --zone us-central1-f \ --cluster-version 1.8.7-gke.1 \ --machine-type n1-standard-1 \ --num-nodes 1 \ --image-type COS \ --disk-size 10
-
Add the cluster credentials to your local kubeconfig:
gcloud container clusters get-credentials kube-service-account-test \ --project my-project \ --zone us-central1-f
-
Create a service account:
gcloud iam service-accounts create test-service-account \ --project my-project \ --display-name test-service-account
-
Create a JSON key for the service account:
gcloud iam service-accounts keys create key.json \ --project my-project \ --iam-account test-service-account@my-project.iam.gserviceaccount.com
-
Activate the service account credentials using the JSON key:
gcloud auth activate-service-account --key-file key.json
-
Run the
kube-service-account
script to configure thekubectlt
alias to use your service account's credentials:kube-service-account
-
Use the
kubectlt
alias to attempt to create a deployment:$ kubectlt run ubuntu --image ubuntu Error from server (Forbidden): deployments.extensions is forbidden: User "test-service-account@my-project.iam.gserviceaccount.com" cannot create deployments.extensions in the namespace "default": Required "container.deployments.create" permission.
I have only used / tested this in zsh
.