This post is the 14th in our Kubernetes training series, providing DevOps engineers with an introduction to Docker, Kubernetes, and Octopus.
This video demonstrates how to create an Octopus target that authenticates to the cluster with a service account token.
If you don't already have Octopus account, you can start a free trial.
You can work through the series using the links below.
- Getting started with Docker
- Installing a development Kubernetes cluster
- Creating Docker containers
- Creating Kubernetes resources
- Creating Kubernetes services
- Deploying to Kubernetes with Octopus
- Multi-environment deployments
- Installing a dashboard
- Observing deployment strategies
- Blue/green deployment strategy
- ConfigMaps and Secrets
- ConfigMaps and Secrets demo
- Role Based Access Control
- Role Based Access Control demo
- Ingress and Ingress Controllers
- Ingress and Ingress Controllers demo
- Deploy Google's Online Boutique microservice stack in Octopus
Get insights into the culture and methods of modern software delivery
Sign up for our fortnightly Continuously Delivered email series to learn from our experiences with Continuous Delivery, Agile, Lean, DevOps, and more.
Sign upExample code
RBAC resources
This is the compound YAML document containing the RBAC resources used to limit an service account to a single namespace:
apiVersion: v1
kind: ServiceAccount
metadata:
name: octopub-deployer
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: octopub-deployer-role
rules:
- apiGroups: ["", "extensions", "apps", "networking.k8s.io"]
resources: ["deployments", "replicasets", "pods", "services", "ingresses", "secrets", "configmaps"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: octopub-deployer-rolebinding
subjects:
- kind: ServiceAccount
name: octopub-deployer
apiGroup: ""
roleRef:
kind: Role
name: octopub-deployer-role
apiGroup: ""
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: octopub-deployer-secret
annotations:
kubernetes.io/service-account.name: "octopub-deployer"
Target creation script
This script creates a new Octopus token account and target by extracting the token from a secret and the Kubernetes URL from the current Kubernetes context:
SERVER=$(kubectl config view -o json | jq -r '.clusters[0].cluster.server')
TOKEN=$(kubectl get secret octopub-deployer-secret -n octopub -o json | jq -r '.data.token' | base64 -d)
echo "##octopus[create-tokenaccount \
name=\"$(encode_servicemessagevalue "Octopub #{Octopus.Environment.Name}")\" \
token=\"$(encode_servicemessagevalue "${TOKEN}")\" \
updateIfExisting=\"$(encode_servicemessagevalue 'True')\"]"
echo "##octopus[create-kubernetestarget \
name=\"$(encode_servicemessagevalue "Octopub #{Octopus.Environment.Name}")\" \
octopusRoles=\"$(encode_servicemessagevalue 'Octopub')\" \
clusterUrl=\"$(encode_servicemessagevalue "${SERVER}")\" \
octopusAccountIdOrName=\"$(encode_servicemessagevalue "Octopub #{Octopus.Environment.Name}")\" \
namespace=\"$(encode_servicemessagevalue "octopub")\" \
octopusDefaultWorkerPoolIdOrName=\"$(encode_servicemessagevalue "Laptop")\" \
updateIfExisting=\"$(encode_servicemessagevalue 'True')\" \
skipTlsVerification=\"$(encode_servicemessagevalue 'True')\"]"
Resources
- Octopus trial
- Mixing Kubernetes Roles, RoleBindings, ClusterRoles, and ClusterBindings
- Service messages
Learn more
If you want to build and deploy containerized applications to AWS platforms such as EKS and ECS, try the Octopus Workflow Builder. The Builder populates a GitHub repository with a sample application built with GitHub Actions workflows and configures a hosted Octopus instance with sample deployment projects demonstrating best practices such as vulnerability scanning and Infrastructure as Code (IaC).
Happy deployments!
