k create sa guest
# create RBAC for it
k create clusterrolebinding guest-reads --clusterrole view --serviceaccount default:guest
k create clusterrole so-reader --verb=get,list,watch --resource=scaledobjects.keda.sh
k create clusterrolebinding guest-reads-so --clusterrole so-reader --serviceaccount default:guest
k create clusterrole otelcol-reader --verb=get,list,watch --resource=opentelemetrycollectors.opentelemetry.io
k create clusterrolebinding guest-reads-otelcol --clusterrole otelcol-reader --serviceaccount default:guestk apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: guest-secret
annotations:
kubernetes.io/service-account.name: guest
type: kubernetes.io/service-account-token
EOF
# to invalidate the kubeconfig, just delete the secret ^k get secret guest-secret -o json | jq -r '.data["ca.crt"]' | base64 -D > ca.crt
token=$(k get secret guest-secret -o json | jq -r '.data["token"]' | base64 -D)
ctx=$(k config current-context)
name=$(k config get-contexts ${ctx} | awk '{print $3}' | tail -n 1)
endpoint=$(k config view -o jsonpath="{.clusters[?(@.name == \"$name\")].cluster.server}")
export KUBECONFIG=~/${name}.kubeconfig
k config set-cluster ${name} \
--embed-certs=true \
--server=${endpoint} \
--certificate-authority=./ca.crt
k config set-credentials guest --token=${token}
k config set-context ${name} \
--cluster=${name} \
--user=guest \
--namespace=default
k config use-context ${name}
cat ${KUBECONFIG}This is not going to fly with GCP clusters created using gcloud cli (gcloud beta container clusters create ..), because these need tu use their auth plugin when talking to clusters. The cluster was created using cluster API & capg provider using these manifests: https://github.com/jkremser/kubecon-2025-eu/tree/main/infra/gcp