Configure a Kubernetes Service Account
You must configure a service account in Kubernetes to provide an identity for the build node processes that Pipelines will dynamically control.
This procedure will use your personal account to create the service account. Make sure your personal account has permissions to do this.
Verify Access to the Cluster
First, make sure you can authenticate yourself to the cluster. This means you have a kubeconfig file that uses your personal account. You can verify this by running this command on your local machine and you should see the file listed.
Author a service account spec
To create a service account on Kubernetes, you can leverage
kubectl and a service account spec. Create a YML file similar to the one below:
Create the service account
You can create a service account by running the following command:
Get Tokens and IP from Kubernetes
Once the service account has been created, you will need to retrieve some key information from Kubernetes in order to configure it through a kubeconfig.
Fetch the name of the secrets used by the service account
This can be found by running the following command:
Mountable secrets string. This is the name of the secret that holds the token, and will be used in the next step.
Fetch the token from the secret
Mountable secrets string, you can get the token used by the service account. Run the following command to extract this information:
Copy and save the
token value. This will be used in your kubeconfig file.
Get the certificate info for the cluster
Every cluster has a certificate that clients can use to encrypt traffic. Fetch the certificate and write to a file (for example,
cluster-cert.txt) by running this command:
Copy and save two pieces of information from here:
Configuring Permissions in Kubernetes
Kubernetes includes a number of resources, including roles and role bindings that can be used to break your cluster into namespaces and limiting access to namespaced resources to specific accounts.
This section provides information about defining permissions in Kubernetes using roles and role binding.
Creating a Role
A Role sets permissions within a particular namespace, which must be specified when creating a Role. Each Role has a
rules section to define the resources that the rules apply to and the allowed operations, which are required for service account users to run builds within Kubernetes.
For example, the following example creates a Role in the
jfrog namespace, which will allow read/write access to all resources in the namespace:
Creating a Service Account
Kubernetes uses service accounts to authenticate and authorize requests made by pods. All newly created pods are automatically assigned to the 'default' service account in your cluster. You can, however, create your own service account.
The following example creates a service account called
pipelines-k8s-pool in the
Creating a Role Binding
The service account that was created in the previous section can now be given the Role that was created earlier using a RoleBinding in the
Add a Kubernetes Adminstration Integration
- From the JFrog Platform Administration module go to Pipelines | Integrations.
- Click Add an Integration.
- In the resulting Add New Integration display, click the Integration Type field and select Kubernetes from the dropdown list.
- Enter a Name for the Kubernetes integration
- Paste in a kubeconfig specification as described below
- Click Create to finish adding the Kubernetes integration
Specify a kubeconfig
From the steps in the prior sections, you should have the following pieces of information:
The kubeconfig specification you paste into the Kube Config setting should follow this format:
Create a Dynamic Node Pool
Once you have successfully added the Kubernetes admininstration integration, you can add a dynamic node pool that uses it.