Imagine that after using Jenkins successfully to build your application container, you then use kubectl to update deployment to roll out a new binary. To do that, invoke a kubectl command from the inside of a Jenkins pod. In this scenario, we need a credential to communicate to the Kubernetes master.
Fortunately, Kubernetes supports this kind of scenario, which uses a service account. It is described in detail in Chapter 8, Advanced Cluster Administration. So, this recipe will use the simplest way, which uses the default namespace and cluster-admin ClusterRole.
To check whether RBAC is enabled and also if the cluster-admin ClusterRole exists or not, type the kubectl get clusterrole command:
$ kubectl get clusterrole cluster-admin
NAME AGE
cluster-admin 42m
Next, create a service account, jenkins-sa, which will be used by a Jenkins pod. Prepare the following YAML configuration, and type the kubectl create command to create it:
$ cat jenkins-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins-sa
namespace: default
$ kubectl create -f jenkins-serviceaccount.yaml
serviceaccount "jenkins-sa" created
Now we can associate the jenkins-sa service account with a cluster-admin ClusterRole. Prepare a ClusterRoleBinding configuration and run the kubectl create command:
$ cat jenkins-cluteradmin.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: jenkins-cluster-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: jenkins-sa
namespace: default
$ kubectl create -f jenkins-cluster-admin.yaml
clusterrolebinding.rbac.authorization.k8s.io "jenkins-cluster-admin" created
In the result, if a pod is launched with the service account jenkins-sa, this Pod has the privilege to control a Kubernetes cluster because of the cluster-admin ClusterRole.