Is there a way to create a token for a normal user in Kubernetes?
- Normal users are assumed to be managed by an outside, independent service (private keys, third parties like Google Accounts, even a file with a list of usernames and passwords). Kubernetes does not have objects which represent normal user accounts.
- Service accounts are users managed by the Kubernetes API, bound to specific namespaces. Service accounts are tied to a set of credentials stored as Secrets. Service account bearer tokens are perfectly valid to use outside the cluster and can be used to create identities for long standing jobs that wish to talk to the Kubernetes API. To manually create a service account, simply use the
kubectl create serviceaccount ACCOUNT_NAME
command. This creates a service account in the current namespace and an associated secret that holds the public CA of the API server and a signed JSON Web Token (JWT).
So you can create a serviceaccount and then use that token to authenticate the requests to the API.
Something similar to this example
$ kubectl create serviceaccount jenkinsserviceaccount "jenkins" created$ kubectl get serviceaccounts jenkins -o yamlapiVersion: v1kind: ServiceAccountmetadata: # ...secrets:- name: jenkins-token-1yvwg
And then fetch the token
$ kubectl get secret jenkins-token-1yvwg -o yamlapiVersion: v1data: ca.crt: (APISERVER'S CA BASE64 ENCODED) namespace: ZGVmYXVsdA== token: (BEARER TOKEN BASE64 ENCODED)kind: Secretmetadata: # ...type: kubernetes.io/service-account-token