Skip to content
This repository was archived by the owner on Aug 28, 2025. It is now read-only.

Commit 9efd880

Browse files
vertex451vertex451
authored
Feat/admin perm cluster access (#301)
* improved the script by adding admin access On-behalf-of: @SAP a.shcherbatiuk@sap.com Signed-off-by: Artem Shcherbatiuk <vertex451@gmail.com>
1 parent aa68c84 commit 9efd880

File tree

1 file changed

+20
-76
lines changed

1 file changed

+20
-76
lines changed

scripts/create-clusteraccess.sh

Lines changed: 20 additions & 76 deletions
Original file line numberDiff line numberDiff line change
@@ -11,9 +11,7 @@ NC='\033[0m' # No Color
1111
# Default values
1212
TARGET_KUBECONFIG=""
1313
MANAGEMENT_KUBECONFIG="${KUBECONFIG:-$HOME/.kube/config}"
14-
SERVICE_ACCOUNT_NAME="gateway-reader"
1514
NAMESPACE="default"
16-
TOKEN_DURATION="24h"
1715

1816
usage() {
1917
echo "Usage: $0 --target-kubeconfig <path> [options]"
@@ -23,13 +21,14 @@ usage() {
2321
echo ""
2422
echo "Optional:"
2523
echo " --management-kubeconfig <path> Path to management cluster kubeconfig (default: \$KUBECONFIG or ~/.kube/config)"
26-
echo " --service-account <name> Service account name (default: gateway-reader)"
2724
echo " --namespace <name> Namespace for secrets (default: default)"
28-
echo " --token-duration <duration> Token duration (default: 24h)"
2925
echo " --help Show this help message"
3026
echo ""
3127
echo "Note: Cluster name will be extracted automatically from the target kubeconfig"
3228
echo ""
29+
echo "Authentication mode:"
30+
echo " Uses target kubeconfig directly for full cluster admin access"
31+
echo ""
3332
echo "Example:"
3433
echo " $0 --target-kubeconfig ~/.kube/target-config"
3534
}
@@ -57,18 +56,10 @@ while [[ $# -gt 0 ]]; do
5756
MANAGEMENT_KUBECONFIG="$2"
5857
shift 2
5958
;;
60-
--service-account)
61-
SERVICE_ACCOUNT_NAME="$2"
62-
shift 2
63-
;;
6459
--namespace)
6560
NAMESPACE="$2"
6661
shift 2
6762
;;
68-
--token-duration)
69-
TOKEN_DURATION="$2"
70-
shift 2
71-
;;
7263
--help)
7364
usage
7465
exit 0
@@ -123,12 +114,7 @@ cleanup_existing_resources() {
123114
log_info "Deleting existing secrets in management cluster..."
124115
KUBECONFIG="$MANAGEMENT_KUBECONFIG" kubectl delete secret "${CLUSTER_NAME}-token" --namespace="$NAMESPACE" --ignore-not-found=true
125116
KUBECONFIG="$MANAGEMENT_KUBECONFIG" kubectl delete secret "${CLUSTER_NAME}-ca" --namespace="$NAMESPACE" --ignore-not-found=true
126-
127-
# Clean up service account and role binding in target cluster
128-
log_info "Cleaning up service account and role binding in target cluster..."
129-
KUBECONFIG="$TARGET_KUBECONFIG" kubectl delete clusterrolebinding "${SERVICE_ACCOUNT_NAME}-binding" --ignore-not-found=true
130-
KUBECONFIG="$TARGET_KUBECONFIG" kubectl delete clusterrolebinding "${SERVICE_ACCOUNT_NAME}-discovery-binding" --ignore-not-found=true
131-
KUBECONFIG="$TARGET_KUBECONFIG" kubectl delete serviceaccount "$SERVICE_ACCOUNT_NAME" --namespace="$NAMESPACE" --ignore-not-found=true
117+
KUBECONFIG="$MANAGEMENT_KUBECONFIG" kubectl delete secret "${CLUSTER_NAME}-admin-kubeconfig" --namespace="$NAMESPACE" --ignore-not-found=true
132118

133119
log_info "Cleanup completed. Creating fresh resources..."
134120
else
@@ -139,6 +125,7 @@ cleanup_existing_resources() {
139125
log_info "Creating ClusterAccess resource '$CLUSTER_NAME'"
140126
log_info "Target kubeconfig: $TARGET_KUBECONFIG"
141127
log_info "Management kubeconfig: $MANAGEMENT_KUBECONFIG"
128+
log_info "Authentication mode: Admin kubeconfig (full cluster access)"
142129

143130
# Clean up existing resources if they exist
144131
cleanup_existing_resources
@@ -176,49 +163,8 @@ if ! KUBECONFIG="$TARGET_KUBECONFIG" kubectl cluster-info &>/dev/null; then
176163
fi
177164
log_info "Target cluster is accessible"
178165

179-
# Create service account in target cluster
180-
log_info "Creating service account '$SERVICE_ACCOUNT_NAME' in target cluster..."
181-
KUBECONFIG="$TARGET_KUBECONFIG" kubectl create serviceaccount "$SERVICE_ACCOUNT_NAME" --namespace="$NAMESPACE" --dry-run=client -o yaml | \
182-
KUBECONFIG="$TARGET_KUBECONFIG" kubectl apply -f -
183-
184-
# Create cluster role binding
185-
log_info "Creating cluster role binding for service account..."
186-
KUBECONFIG="$TARGET_KUBECONFIG" kubectl create clusterrolebinding "${SERVICE_ACCOUNT_NAME}-binding" \
187-
--clusterrole=view \
188-
--serviceaccount="${NAMESPACE}:${SERVICE_ACCOUNT_NAME}" \
189-
--dry-run=client -o yaml | \
190-
KUBECONFIG="$TARGET_KUBECONFIG" kubectl apply -f -
191-
192-
# Create additional cluster role binding for discovery API
193-
log_info "Creating discovery API cluster role binding for service account..."
194-
KUBECONFIG="$TARGET_KUBECONFIG" kubectl create clusterrolebinding "${SERVICE_ACCOUNT_NAME}-discovery-binding" \
195-
--clusterrole=system:discovery \
196-
--serviceaccount="${NAMESPACE}:${SERVICE_ACCOUNT_NAME}" \
197-
--dry-run=client -o yaml | \
198-
KUBECONFIG="$TARGET_KUBECONFIG" kubectl apply -f -
199-
200-
# Generate token
201-
log_info "Generating token for service account..."
202-
TOKEN=$(KUBECONFIG="$TARGET_KUBECONFIG" kubectl create token "$SERVICE_ACCOUNT_NAME" --namespace="$NAMESPACE" --duration="$TOKEN_DURATION")
203-
if [[ -z "$TOKEN" ]]; then
204-
log_error "Failed to generate token"
205-
exit 1
206-
fi
207-
log_info "Token generated successfully"
208-
209-
# Test token permissions
210-
log_info "Testing token permissions..."
211-
if ! KUBECONFIG="$TARGET_KUBECONFIG" kubectl auth can-i list configmaps --as="system:serviceaccount:${NAMESPACE}:${SERVICE_ACCOUNT_NAME}" &>/dev/null; then
212-
log_warn "Token may not have sufficient permissions to list configmaps"
213-
fi
214-
215-
# Test Discovery API permissions
216-
log_info "Testing Discovery API permissions..."
217-
if ! KUBECONFIG="$TARGET_KUBECONFIG" kubectl auth can-i get /apis --as="system:serviceaccount:${NAMESPACE}:${SERVICE_ACCOUNT_NAME}" &>/dev/null; then
218-
log_error "Token does not have Discovery API permissions. This will cause 'Unauthorized' errors."
219-
exit 1
220-
fi
221-
log_info "Discovery API permissions verified successfully"
166+
# Admin access mode: use kubeconfig directly
167+
log_info "Using admin kubeconfig mode"
222168

223169
# Test management cluster connectivity
224170
log_info "Testing management cluster connectivity..."
@@ -228,24 +174,24 @@ if ! KUBECONFIG="$MANAGEMENT_KUBECONFIG" kubectl cluster-info &>/dev/null; then
228174
fi
229175
log_info "Management cluster is accessible"
230176

231-
# Create token secret in management cluster
232-
log_info "Creating token secret in management cluster..."
233-
KUBECONFIG="$MANAGEMENT_KUBECONFIG" kubectl create secret generic "${CLUSTER_NAME}-token" \
177+
# Create kubeconfig secret in management cluster
178+
log_info "Creating admin kubeconfig secret in management cluster..."
179+
KUBECONFIG="$MANAGEMENT_KUBECONFIG" kubectl create secret generic "${CLUSTER_NAME}-admin-kubeconfig" \
234180
--namespace="$NAMESPACE" \
235-
--from-literal=token="$TOKEN" \
181+
--from-file=kubeconfig="$TARGET_KUBECONFIG" \
236182
--dry-run=client -o yaml | \
237183
KUBECONFIG="$MANAGEMENT_KUBECONFIG" kubectl apply -f -
238184

239-
# Create CA secret in management cluster
185+
# Create CA secret in management cluster
240186
log_info "Creating CA secret in management cluster..."
241187
echo "$CA_CERT" | KUBECONFIG="$MANAGEMENT_KUBECONFIG" kubectl create secret generic "${CLUSTER_NAME}-ca" \
242188
--namespace="$NAMESPACE" \
243189
--from-file=ca.crt=/dev/stdin \
244190
--dry-run=client -o yaml | \
245191
KUBECONFIG="$MANAGEMENT_KUBECONFIG" kubectl apply -f -
246192

247-
# Create ClusterAccess resource
248-
log_info "Creating ClusterAccess resource..."
193+
# Create ClusterAccess resource with kubeconfig authentication
194+
log_info "Creating ClusterAccess resource with admin kubeconfig..."
249195
cat <<EOF | KUBECONFIG="$MANAGEMENT_KUBECONFIG" kubectl apply -f -
250196
apiVersion: gateway.openmfp.org/v1alpha1
251197
kind: ClusterAccess
@@ -260,22 +206,20 @@ spec:
260206
namespace: $NAMESPACE
261207
key: ca.crt
262208
auth:
263-
secretRef:
264-
name: ${CLUSTER_NAME}-token
209+
kubeconfigSecretRef:
210+
name: ${CLUSTER_NAME}-admin-kubeconfig
265211
namespace: $NAMESPACE
266-
key: token
267212
EOF
268213

269-
log_info "ClusterAccess resource '$CLUSTER_NAME' created successfully!"
214+
log_info "ClusterAccess resource '$CLUSTER_NAME' created successfully with admin access!"
270215
echo ""
271216
log_info "Summary:"
272-
echo " - Service account: $NAMESPACE/$SERVICE_ACCOUNT_NAME (in target cluster)"
273-
echo " - View permissions: ${SERVICE_ACCOUNT_NAME}-binding (ClusterRoleBinding to 'view')"
274-
echo " - Discovery permissions: ${SERVICE_ACCOUNT_NAME}-discovery-binding (ClusterRoleBinding to 'system:discovery')"
275-
echo " - Token secret: $NAMESPACE/${CLUSTER_NAME}-token (in management cluster)"
217+
echo " - Admin kubeconfig secret: $NAMESPACE/${CLUSTER_NAME}-admin-kubeconfig (in management cluster)"
276218
echo " - CA secret: $NAMESPACE/${CLUSTER_NAME}-ca (in management cluster)"
277219
echo " - ClusterAccess: $CLUSTER_NAME"
278220
echo " - Server URL: $SERVER_URL"
221+
echo " - Access level: Full cluster admin (can access all resources including ClusterRoles, etc.)"
222+
279223
echo ""
280224
log_info "You can now run the listener to generate the schema:"
281225
echo " export ENABLE_KCP=false"

0 commit comments

Comments
 (0)