kubernetesspinnakerspinnaker-halyard

Spinnaker authenticate K8s with service account. Not with system:anonymous

I see spinnaker using system:anonymous user to authenticate K8s. But I want a specific user(which I created already in K8s) to authenticate K8s. I used below kubeconfig to use user veeru

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: RETRACTED
    server: https://xx.xx.xx.220:8443
  name: xx-xx-xx-220:8443
contexts:
- context:
    cluster: xx-xx-xx-220:8443
    namespace: default
    user: veeru/xx-xx-xx-220:8443
  name: area-51/xx-xx-xx-220:8443/veeru
current-context: area-51/xx-xx-xx-220:8443/veeru
kind: Config
preferences: {}
users:
- name: veeru/xx-xx-xx-220:8443
  user:
    client-certificate-data: RETRACTED
    client-key-data: RETRACTED

And I specified(like here) user in config(~/.hal/config) like below

kubernetes:
      enabled: true
      accounts:
      - name: my-k8s-account
        requiredGroupMembership: []
        providerVersion: V1
        dockerRegistries:
        - accountName: my-docker-registry2
          namespaces: []
        configureImagePullSecrets: true
        namespaces: ["area-51"]
        user: veeru
        omitNamespaces: []
        kubeconfigFile: /home/ubuntu/.kube/config
        oauthScopes: []
        oAuthScopes: []
      primaryAccount: my-k8s-account

But still spinnaker is using system:anonymous

2018-01-22 08:35:13.929 ERROR 4639 --- [pool-4-thread-1] c.n.s.c.o.DefaultOrchestrationProcessor  : com.netflix.spinnaker.clouddriver.kubernetes.v1.deploy.exception.KubernetesOperationException: Get Service openshifttest-dev in area-51 for account my-k8s-account failed: User "system:anonymous" cannot get services in the namespace "area-51": User "system:anonymous" cannot get services in project "area-51"

Is there any way to specify user that spinnaker should use configured user other than system:anonymous

UPDATE-1

Followed: https://blog.spinnaker.io/spinnaker-kubernetes-rbac-c40f1f73c172

Got the secret from kubectl describe secret spinnaker-service-account-token-9sl6q and update in kubeconfig like below

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: REDACTED
    server: https://xx.xx.xx.xx:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    namespace: webapp
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
- context:
    cluster: kubernetes
    user: spinnaker-service-account
  name: spinnaker-context
current-context: spinnaker-context
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
- name: spinnaker-service-account
  user:
    token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9....

Than I ran sudo hal deploy

....
! ERROR Unable to communicate with your Kubernetes cluster: Failure
  executing: GET at: https://xx.xx.xx.xx:6443/api/v1/namespaces. Message:
  Forbidden! User spinnaker-service-account doesn't have permission. namespaces is
  forbidden: User "system:serviceaccount:default:spinnaker-service-account" cannot
  list namespaces at the cluster scope..
? Unable to authenticate with your Kubernetes cluster. Try using
  kubectl to verify your credentials.
....

I'm able run 

$ kubectl get namespace webapp
NAME      STATUS    AGE
webapp    Active    22m

I have specified webapp namespace and user as spinnaker-service-account in ~/.hal/config

Solution

  • I'm using GKE with basic authentication disabled. I have my spinnaker use a dedicated K8s service account that I created. In my ~/.kube/config I have tokens for each K8s cluster.

    users:
- name: gke_operation-covfefe-1_asia-east1_testing-asia-east1
  user:
    token: token1
- name: gke_operation-covfefe-1_europe-west1_testing-europe-west1
  user:
    token: token2
- name: gke_operation-covfefe-1_us-central1_testing-us-central1
  user:
    token: token3

    I got these tokens by running

    kubectl get secret spinnaker-service-account -o json \
 | jq -r .data.token \
 | base64 -d

    and then manually updating my ~/.kube/config file.

    Make sure your service account has the required RBAC permissions. See blog post here.

    Update:

    Also make sure you give the service account the required RBAC permissions. See the "Role" section of the blog post above or the guide here. When you test the RBAC permissions with kubectl make sure you're using the same service account as the one Spinnaker is using.

    Update 2

    If you want spinnaker to act on all namespaces, use ClusterRole and ClusterRoleBinding in your RBAC. The blog post only uses Role and RoleBinding which restricts actions to a particular namespace(s). See this guide for the Cluster* way. Note the PR to fix a typo here.