Skip to content

Rotating kubeconfig for my EMK Cluster

Estimated time to read: 2 minutes

In this tutorial you will learn the basics of a rotating kubeconfig and how to access your cluster with one of those.

Preconditions:

Here's a short explanation on what you are going to learn in this tutorial:

  • Get a service account kubeconfig
  • Create a rotating kubeconfig for your desired cluster
  • Access the kubernetes cluster with the requested kubeconfig

A rotating kubeconfig can be requested with a service account, like we are doing in this tutorial or you can re-use your rotated kubeconfig to request a new one. If you like to rotate your kubeconfig use the rotated kubeconfig in step 2 and you will create a new rotated kubeconfig.

Step 1. service account

Head over to the service account tab in your EMK overview in the Fuga Dashboard. Here you will find a default service account. You can use the default one or create a new one. To request the kubeconfig for your cluster the service account is required to have the role “admin”.

Service account overview

Then click on the “...” and click on show kubeconfig and download the kubeconfig of your service account. You will use this kubeconfig to request a kubeconfig that can access your cluster.

Step 2. request access

To request the kubeconfig for the kubernetes cluster we have to create a request file. We will call it “kubeconfig-request.json” and requires the following data:

% cat > kubeconfig-request.json <<EOF
{
    "apiVersion": "authentication.gardener.cloud/v1alpha1",
    "kind": "AdminKubeconfigRequest",
    "spec": {
        "expirationSeconds": 3600
    }
}
EOF

Currently you have configured it to request a certificate that will expire after 3600 seconds. Rethink how long you would like the certificate duration to be and configure it to last a bit longer (with a maximum of 1 day).

We now have the request data to request the kubeconfig. We can use the following command to request it (use the correct information for your environment and cluster):

% NAMESPACE=garden-<your_emk_project_name>
% SHOOT=<your_shoot_name>

% kubectl create \
    --kubeconfig ~/Downloads/kubeconfig.yaml \
    --filename ./kubeconfig-request.json \
    --raw /apis/core.gardener.cloud/v1beta1/namespaces/${NAMESPACE}/shoots/${SHOOT}/adminkubeconfig \
    | jq -r ".status.kubeconfig | @base64d" \
    > config-${SHOOT}.yaml

Step 3. access your cluster

You have now a kubeconfig that you can use to communicate with your kubernetes cluster. To try this, you can, for example, use the following command:

% kubectl --kubeconfig config-${SHOOT}.yaml top nodes