Skip to main content
Version: 3.12-dev

Deploy Application In Remote Cluster via Token

This section enables the creation of the necessary resources to configure access to a remote cluster using a static token.

Using Kubernetes RBAC​

  1. Create a ServiceAccount:

    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: krci-deployer
      namespace: <deploy_namespace>

  2. Bind the ServiceAccount to the cluster-admin role using ClusterRoleBinding

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: krci-deployer-cluster-admin-binding
    subjects:
      - kind: ServiceAccount
        name: krci-deployer
        namespace: <deploy_namespace>
    roleRef:
      kind: ClusterRole
      name: cluster-admin
      apiGroup: rbac.authorization.k8s.io

  3. Create a Secret with a token for the ServiceAccount

    apiVersion: v1
    kind: Secret
    metadata:
      name: krci-deployer
      namespace: <deploy_namespace>
      annotations:
        kubernetes.io/service-account.name: krci-deployer
    type: kubernetes.io/service-account-token

Using Capsule​

  1. Create a ServiceAccount for deployment

    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: krci-deployer
      namespace: <deploy_namespace>

  2. Create a Secret with a token for the ServiceAccount

    apiVersion: v1
    kind: Secret
    metadata:
      name: krci-deployer
      namespace: <deploy_namespace>
      annotations:
        kubernetes.io/service-account.name: krci-deployer
    type: kubernetes.io/service-account-token

  3. Configure Capsule to recognize the ServiceAccount’s group

    apiVersion: capsule.clastix.io/v1beta2
    kind: CapsuleConfiguration
    metadata:
      name: default
    spec:
      userGroups:
        - capsule.clastix.io
        - system:serviceaccounts:<deploy_namespace>

  4. Create a Tenant and assign ownership to the ServiceAccount through Capsule

    apiVersion: capsule.clastix.io/v1beta2
    kind: Tenant
    metadata:
      name: krci-deployer
      namespace: <deploy_namespace>
    spec:
      owners:
        - clusterRoles:
            - admin
            - capsule-namespace-deleter
          kind: ServiceAccount
          name: system:serviceaccount:<deploy_namespace>:krci-deployer

Get Kubernetes Token​

To obtain the token generated by following this documentation, run the command below:

kubectl get secret -n <deploy_namespace> krci-deployer -o jsonpath='{.data.token}' | base64 -d

Next Steps​

By completing all the steps in this documentation, you will obtain a token for integration with the Kubernetes cluster. The next step is to configure the cluster integration with KubeRocketCI, as described in the documentation Add Cluster.