Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitb0af974

Browse files
authored
Updated secure way
moved the kubernetes 1.24 secure way higher up to prevent confusion.
1 parentf8e6b77 commitb0af974

File tree

1 file changed

+34
-33
lines changed

1 file changed

+34
-33
lines changed

‎_docs/integrations/kubernetes.md‎

Lines changed: 34 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -274,10 +274,11 @@ echo $(kubectl get secret -o go-template='{{index .data "token" }}' $(kubectl ge
274274

275275
Once the cluster been added successfully you can go to the`Kubernetes` tab to start working with the services of your cluster.
276276

277-
####The proper/secure way
277+
####The proper/secure way for Kubernetes Cluster 1.24+
278278

279-
For production environments you should create a service account and/or role for Codefresh access.
280-
The minimum permissions Codefresh needs to work with the cluster are the following:
279+
For production environments, create a service account and/or role for Codefresh access.
280+
281+
Codefresh needs these minimum permissions to work with the cluster:
281282

282283
`codefresh-role.yml`
283284
{% highlight yaml %}
@@ -314,7 +315,7 @@ kind: ServiceAccount
314315
metadata:
315316
name: codefresh-user
316317
namespace: kube-system
317-
---
318+
---
318319
apiVersion: rbac.authorization.k8s.io/v1
319320
kind: ClusterRoleBinding
320321
metadata:
@@ -327,29 +328,39 @@ subjects:
327328
- kind: ServiceAccount
328329
name: codefresh-user
329330
namespace: kube-system
331+
---
332+
apiVersion: v1
333+
kind: Secret
334+
type: kubernetes.io/service-account-token
335+
metadata:
336+
name: codefresh-user-token
337+
namespace: kube-system
338+
annotations:
339+
kubernetes.io/service-account.name: "codefresh-user"
330340
{% endraw %}
331341
{% endhighlight %}
332342

333-
Select the appropriate cluster if you have more than one:
343+
<br />
334344

345+
1. Select the appropriate cluster if you have more than one:
335346
`Choose cluster`
336347
{% highlight shell %}
337348
{% raw %}
338349
kubectl config use-context <my-cluster-name>
339350
{% endraw %}
340351
{% endhighlight %}
341352

342-
Create the Codefresh user/role:
343-
353+
{:start="2"}
354+
1. Create the Codefresh user/role:
344355
`Apply Codefresh access rules`
345356
{% highlight shell %}
346357
{% raw %}
347358
kubectl apply -f codefresh-role-sa-bind.yml
348359
{% endraw %}
349360
{% endhighlight %}
350361

351-
Finally run the following commands and copy-paste the result to each Codefresh field in the UI:
352-
362+
{:start="3"}
363+
1. Finally run the following commands, and copy-paste the results to the respective Codefresh field in the UI:
353364
`Host IP`
354365
{% highlight shell %}
355366
{% raw %}
@@ -360,22 +371,21 @@ export CURRENT_CONTEXT=$(kubectl config current-context) && export CURRENT_CLUST
360371
`Certificate`
361372
{% highlight shell %}
362373
{% raw %}
363-
echo $(kubectl get secret -n kube-system -o go-template='{{index .data "ca.crt" }}'$(kubectl get sacodefresh-user -n kube-system -o go-template="{{range .secrets}}{{.name}}{{end}}"))
374+
echo $(kubectl get secret -n kube-system -o go-template='{{index .data "ca.crt" }}' codefresh-user-token)
364375
{% endraw %}
365376
{% endhighlight %}
366377

367378
`Token`
368379
{% highlight shell %}
369380
{% raw %}
370-
echo $(kubectl get secret -n kube-system -o go-template='{{index .data "token" }}'$(kubectl get sacodefresh-user -n kube-system -o go-template="{{range .secrets}}{{.name}}{{end}}"))
381+
echo $(kubectl get secret -n kube-system -o go-template='{{index .data "token" }}' codefresh-user-token)
371382
{% endraw %}
372383
{% endhighlight %}
373384

374-
####The proper/secure wayforKubernetesCluster 1.24+
385+
####The proper/secure way Kubernetes1.23 and older
375386

376-
For production environments, create a service account and/or role for Codefresh access.
377-
378-
Codefresh needs these minimum permissions to work with the cluster:
387+
For production environments you should create a service account and/or role for Codefresh access.
388+
The minimum permissions Codefresh needs to work with the cluster are the following:
379389

380390
`codefresh-role.yml`
381391
{% highlight yaml %}
@@ -412,7 +422,7 @@ kind: ServiceAccount
412422
metadata:
413423
name: codefresh-user
414424
namespace: kube-system
415-
---
425+
---
416426
apiVersion: rbac.authorization.k8s.io/v1
417427
kind: ClusterRoleBinding
418428
metadata:
@@ -425,39 +435,29 @@ subjects:
425435
- kind: ServiceAccount
426436
name: codefresh-user
427437
namespace: kube-system
428-
---
429-
apiVersion: v1
430-
kind: Secret
431-
type: kubernetes.io/service-account-token
432-
metadata:
433-
name: codefresh-user-token
434-
namespace: kube-system
435-
annotations:
436-
kubernetes.io/service-account.name: "codefresh-user"
437438
{% endraw %}
438439
{% endhighlight %}
439440

440-
<br />
441+
Select the appropriate cluster if you have more than one:
441442

442-
1. Select the appropriate cluster if you have more than one:
443443
`Choose cluster`
444444
{% highlight shell %}
445445
{% raw %}
446446
kubectl config use-context <my-cluster-name>
447447
{% endraw %}
448448
{% endhighlight %}
449449

450-
{:start="2"}
451-
1. Create the Codefresh user/role:
450+
Create the Codefresh user/role:
451+
452452
`Apply Codefresh access rules`
453453
{% highlight shell %}
454454
{% raw %}
455455
kubectl apply -f codefresh-role-sa-bind.yml
456456
{% endraw %}
457457
{% endhighlight %}
458458

459-
{:start="3"}
460-
1. Finally run the following commands, and copy-paste the results to the respective Codefresh field in the UI:
459+
Finally run the following commands and copy-paste the result to each Codefresh field in the UI:
460+
461461
`Host IP`
462462
{% highlight shell %}
463463
{% raw %}
@@ -468,17 +468,18 @@ export CURRENT_CONTEXT=$(kubectl config current-context) && export CURRENT_CLUST
468468
`Certificate`
469469
{% highlight shell %}
470470
{% raw %}
471-
echo $(kubectl get secret -n kube-system -o go-template='{{index .data "ca.crt" }}' codefresh-user-token)
471+
echo $(kubectl get secret -n kube-system -o go-template='{{index .data "ca.crt" }}'$(kubectl get sacodefresh-user -n kube-system -o go-template="{{range .secrets}}{{.name}}{{end}}"))
472472
{% endraw %}
473473
{% endhighlight %}
474474

475475
`Token`
476476
{% highlight shell %}
477477
{% raw %}
478-
echo $(kubectl get secret -n kube-system -o go-template='{{index .data "token" }}' codefresh-user-token)
478+
echo $(kubectl get secret -n kube-system -o go-template='{{index .data "token" }}'$(kubectl get sacodefresh-user -n kube-system -o go-template="{{range .secrets}}{{.name}}{{end}}"))
479479
{% endraw %}
480480
{% endhighlight %}
481481

482+
482483
####Restrict Codefresh access to a specific namespace
483484

484485
In most cases, you want to allow Codefresh to access all namespaces inside the cluster. This is the most convenient option as it will make

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp