Skip to content

Instantly share code, notes, and snippets.

@kayoch1n

kayoch1n/README.md

Forked from mikamboo/README.md
Last active February 21, 2026 03:54
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save kayoch1n/d1958639b1b27d2606cab2eb87ea630b to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save kayoch1n/d1958639b1b27d2606cab2eb87ea630b to your computer and use it in GitHub Desktop.
Download ZIP
Kubernetes : Create Service Account with permission for a specific namespace + Generate KUBECONFIG
Raw
README.md

Create KUBECONFIG limited to specific namespace

  • create_user_for_namespace.sh: Create $namespace-admin ServiceAccount with full access to specified namespace and get KUBECONFIG

Usage

./create-user-for-namespace YOUR_FANCY_NAMESPACE

Use the generated kubeconfig to verify if it works

ubuntu@VM-32-15-ubuntu:~$ KUBECONFIG=/home/ubuntu/kubeconfig-k8st-user-2026-02-21-113932 kubectl get po -n k8st
NAME               READY   STATUS    RESTARTS   AGE
redis-0            1/1     Running   0          20h
redis-1            1/1     Running   0          20h
redis-2            1/1     Running   0          20h
redis-sentinel-0   1/1     Running   0          20h
redis-sentinel-1   1/1     Running   0          20h
redis-sentinel-2   1/1     Running   0          20h
ubuntu@VM-32-15-ubuntu:~$ KUBECONFIG=/home/ubuntu/kubeconfig-k8st-user-2026-02-21-113932 kubectl get po -n kube-system
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:k8st:k8st-admin" cannot list resource "pods" in API group "" in the namespace "kube-system"
ubuntu@VM-32-15-ubuntu:~$
Raw
create_user_for_namespace.sh
#!/bin/bash
#
# Script to create user with permission for a specific namespace.
# Script based on https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html
#
# In honor of the remarkable Windson
#/bin/bash
namespace=$1
username=$namespace-admin
if [[ -z "$namespace" ]]; then
echo "Use "$(basename "$0")" NAMESPACE";
exit 1;
fi
echo -e "
apiVersion: v1
kind: ServiceAccount
metadata:
name: $username
namespace: $namespace
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: $username-full-access
namespace: $namespace
rules:
- apiGroups: ['', 'extensions', 'apps']
resources: ['*']
verbs: ['*']
- apiGroups: ['batch']
resources:
- jobs
- cronjobs
verbs: ['*']
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: $username-full-access
namespace: $namespace
subjects:
- kind: ServiceAccount
name: $username
namespace: $namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: $username-full-access" | kubectl apply -f -
token=$(kubectl create token $username --duration=8760h -n $namespace)
certificate=$(kubectl config view --flatten --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}')
server_url=$(kubectl config view --flatten --raw -o jsonpath='{.clusters[0].cluster.server}')
server_name=$(kubectl config view --flatten --raw -o jsonpath='{.clusters[0].name}')
kubeconfig=kubeconfig-${namespace}-user-$(date '+%F-%H%M%S')
current_context=${username}@${server_name}
echo -e "apiVersion: v1
clusters:
- cluster:
certificate-authority-data: $certificate
server: $server_url
name: $server_name
contexts:
- context:
cluster: $server_name
namespace: $namespace
user: $username
name: ${current_context}
current-context: ${current_context}
kind: Config
preferences: {}
users:
- name: $username
user:
client-key-data: $certificate
token: $token
" > $kubeconfig
echo "$username's kubeconfig was created into `pwd`/$kubeconfig"
echo "If you want to test execute this command \`KUBECONFIG=`pwd`/$kubeconfig kubectl get po\`"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment