Skip to content

Service account for pipelines

For Gitness pipeliness to perform actions on the kubernetes cluster, a service account needs to be setup. Since my cluster managerment is only exposed locally, i chose to setup one generic service account to manage the whole cluster.

Service account setup

I will be using the standard default service account available in the default namespace. When desired you can also create a new service account, but for easy steps i'll use the standard.

Create a new service account

First create the service account with kubectl.

kubectl create serviceaccount gitness-pipeline

First check the service account for availabilty of a long-lived token

kubectl describe serviceaccount default

Name:                default
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   <none>
Tokens:              <none>
Events:              <none>

After kubernetes 1.22

After kubernetes version 1.22 the long-lived token is not automatically created. This means the secret should be triggered manually by creating a secret with the type kubernetes.io/service-account-token The secret should be linked to the service account via the annotations.

This will create a secret with the name default-secret that will automatically fill the token and cert.

apiVersion: v1
kind: Secret
metadata:
  name: default-secret
  namespace: default
  annotations:
    kubernetes.io/service-account.name: default
type: kubernetes.io/service-account-token

Now describing the service account account will show the token being populated.

~ kubectl describe serviceaccount default
Name:                default
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   <none>
Tokens:              default-secret
Events:              <none>

Cluster Role Binding

Now create a ClusterRole with kubectl and assign it to the service account. I create it via yaml file service_account_role.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-admin
  namespace: default
subjects:
  - kind: ServiceAccount
    name: default
    namespace: default
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io

And apply with kubectl

kubectl apply -f service_account_role.yaml
Note

find standard role bindings here: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles

Service account Token and Certificate

To use the service account from the Gitness pipelines plugins, it uses authentication to the service account with a long-lived token and certificate. So retrieve the actual token from the secret and decode it:

kubectl get secret default-secret -o jsonpath='{.data.token}' | base64 --decode

Get the certificate as well: 

kubectl get secret default-secret -o jsonpath='{.data.ca\.crt}'

Add Gitness Secrets

Go to the gitness project you want to use these values in the pipelines.

Create new secrets for the following:

  • token:
  • certificate:
  • kube-api: https://kubernetes.default.svc
  • service-account: default