Kubernetes and RBAC are horrible monsters. Debugging them is time consuming activity. Here’s several hints on how I'm doing that.
First you have to get out the secret which stores the token to the system account. This happens with the command:
I’m using the Helm Data Tool to create the proper Kubernetes configuration file. It needs the access token and server certificate. It also needs the URL to the Kubernetes API server. The ca.crt and token files must be in the same directory. This example creates them in the directory ./tmp.
Next step is to generate the access token and certificate. First the certificate is created:
Then the access token is created:
If we’re now at the directory ~/helm-data-tool, and the kubeconfig-creator.sh is at the bin directory, you will create the Kubernetes configuration file with the command:
bin/kubeconfig-creator.sh -b tmp -h https://my-api:443 >sa-kubeconfig
One global kubectl parameter is --kubeconfig. You can give sa-kubeconfig for it. After that you can test your API calls. E.g. to check if the System Account has global access to list the roles:
Helm is not that well supporting the setting of configuration from the command line. But those commands which are supporting that have option --kubeconfig.
These are my personal notes. I hope you like them too. If you have own hints how to debug Kubernetes configuration, please let me know.
