Bootstrap FreeKB - ArgoCD - Create the argocd-manager Service Account
ArgoCD - Create the argocd-manager Service Account
Updated:   |  ArgoCD articles

If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

Let's us the kubectl (Kuberetes) or oc (OpenShift) login command to log into the Kubernetes or OpenShift cluster as a user that has permission to create a Service Account, Cluster Role and Cluster Role Binding.

~]$ oc login -u john.doe api.dev.openshift.example.com:6443
Authentication required for https://api.dev.openshift.example.com:6443 (openshift)
Console URL: https://api.dev.openshift.example.com:6443/console
Username: john.doe
Password:
Login successful.
You have access to 432 projects, the list has been suppressed. You can list all projects with 'oc projects'
Using project "default".
Welcome! See 'oc help' to get started.

 

The auth can-i command can be used to determine if you have permission to create a Service Account.

~]$ oc auth can-i create serviceaccount
yes

 

Service Account

Let's use the kubectl (Kuberetes) or oc (OpenShift) create serviceaccount command to create a Service Account in the kube-system namespace.

kubectl create serviceaccount argocd-manager --namespace kube-system

 

Cluster Role

Let's create a YAML file that contains the following YAML to create a Cluster Role named argocd-manager-role.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: argocd-manager-role
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
- nonResourceURLs:
  - '*'
  verbs:
  - '*'

 

The kubectl (Kubernetes) or oc (OpenShift) apply command can be used to create the Cluster Role using the YAML file.

kubectl apply -f cluster_role.yaml

 

Cluster Role Binding

The kubectl (Kubernetes) or oc (OpenShift) create clusterrolebinding command can be used to create a Cluster Role Binding that maps the Service Account to the Cluster Role.

oc create clusterrolebinding argocd-manager-role-binding --clusterrole argocd-manager-role --serviceaccount kube-system:argocd-manager

 

The Cluster Role Binding should now show that the Service Account has the Cluster Role in the kube-system namespace.

~]$ oc describe clusterrolebinding argocd-manager-role-binding
Name:         argocd-manager-role-binding
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  argocd-manager-role
Subjects:
  Kind            Name                Namespace
  ----            ----                ---------
  ServiceAccount  argocd-manager      kube-system

 

There should be a secret containing a token that the Service Account can use to authenticate to Kubernetes or OpenShift. Let's make note of this token.

~]$ kubectl get secret argocd-manager-token-js959 --namespace kube-system --output jsonpath="{.data.token}" | base64 --decode
eyJhbGciOiJSUzI1NiIsImtpZCI6InhlOXdWYjdVYV9qOXk2RVZ2X0JVV1ZZTnZXTy0yR2xRVDhMOEpOUVBnVmsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJvcGVuc2hpZnQtZ2l0b3BzIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Im15LXNlcnZpY2UtYWNjb3VudC10b2tlbi1qczk1OSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJteS1zZXJ2aWNlLWFjY291bnQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJhZjE2NjQyOS1jMzgzLTRlNzEtOGRmZS0yYTYyY2JhYmE0NWYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6b3BlbnNoaWZ0LWdpdG9wczpteS1zZXJ2aWNlLWFjY291bnQifQ.Idd7VeoZhDofAiu8ebo8kUxVleeIlkzv8srwpWX0pdefTsqlgJPhzj5rnntK5QyhoQbFRAjPgcnNIixAeiYzUvmUf1H1KlRF2oTih0a7BknIjNRGovn3v3YaWJf6lkkJMWLRGuPWo7tEREOZJtMi-_3Nck5o0R7zSfNCUPC8fwx4es2x4EF4Lm6jaR0IJfcgHuGEjyO4gGTOyZScwzBgrl-HRiNqb2RBeY7_hBAckln3ceX3HKu8XovMgFIoNgk-TXxBs4MHjofCMcj8mxgJObLZwAfgIKvixUQMMKFbGHD0-QO9XcLj6E9X4oM2WeD67RJZcu3TYFnP0V4LiZZ_GWq1HCvH7h7hy9tKd9_9Cbioxw4YO1WtBxapZghtE_ZVnVDX8U-xcO1n0T9WyUkkWFHKipvbZBnDkAtjX3I1Du33pPmg1Xo8mf7EMzNRkqZdP2xyGMwss6Pw9B0PG7P3U1aPguF_dGhxVNvAI4zZIDRpmiLwHvd2t7D3gGCFTCM06pyZjImOFZg4LvrqaYQZAnNWzUBqdXNg-LAuRIGz3X3SfAun1aPTFG9xA8eh08c8aKD8KvjPkfwG_QldYOzcwgumwWlzRRBeA_ozZF-66a83A91nLApcgRLXupcucrNJuMiirUL_Dl7mTnwiaxhMjT3o86RRx_hMS2z5c9liwV8

 

Let's log out of Kubernetes or OpenShift.

kubectl logout

 

And see if we can log in using the service account token.

kubectl login --token eyJhbGciOiJSUzI1NiIsImtpZCI6InhlOXdWYjdVYV9qOXk2RVZ2X0JVV1ZZTnZXTy0yR2xRVDhMOEpOUVBnVmsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJvcGVuc2hpZnQtZ2l0b3BzIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Im15LXNlcnZpY2UtYWNjb3VudC10b2tlbi1qczk1OSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJteS1zZXJ2aWNlLWFjY291bnQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJhZjE2NjQyOS1jMzgzLTRlNzEtOGRmZS0yYTYyY2JhYmE0NWYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6b3BlbnNoaWZ0LWdpdG9wczpteS1zZXJ2aWNlLWFjY291bnQifQ.Idd7VeoZhDofAiu8ebo8kUxVleeIlkzv8srwpWX0pdefTsqlgJPhzj5rnntK5QyhoQbFRAjPgcnNIixAeiYzUvmUf1H1KlRF2oTih0a7BknIjNRGovn3v3YaWJf6lkkJMWLRGuPWo7tEREOZJtMi-_3Nck5o0R7zSfNCUPC8fwx4es2x4EF4Lm6jaR0IJfcgHuGEjyO4gGTOyZScwzBgrl-HRiNqb2RBeY7_hBAckln3ceX3HKu8XovMgFIoNgk-TXxBs4MHjofCMcj8mxgJObLZwAfgIKvixUQMMKFbGHD0-QO9XcLj6E9X4oM2WeD67RJZcu3TYFnP0V4LiZZ_GWq1HCvH7h7hy9tKd9_9Cbioxw4YO1WtBxapZghtE_ZVnVDX8U-xcO1n0T9WyUkkWFHKipvbZBnDkAtjX3I1Du33pPmg1Xo8mf7EMzNRkqZdP2xyGMwss6Pw9B0PG7P3U1aPguF_dGhxVNvAI4zZIDRpmiLwHvd2t7D3gGCFTCM06pyZjImOFZg4LvrqaYQZAnNWzUBqdXNg-LAuRIGz3X3SfAun1aPTFG9xA8eh08c8aKD8KvjPkfwG_QldYOzcwgumwWlzRRBeA_ozZF-66a83A91nLApcgRLXupcucrNJuMiirUL_Dl7mTnwiaxhMjT3o86RRx_hMS2z5c9liwV8

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 553708 in the box below so that we can be sure you are a human.