Produce token based kubeconfig originating from ServiceAccount via kyma cli

[kwiatekus]

Description

Provide a command that produces a kubeconfig file that includes token for a specially created service account that is bound to a cluster-admin role.

Command should (using --kubeconfig):

• create a new service account
• bind sevice account to referred cluster role
• issue a token request or create secret of type kubernetes.io/service-account-token (tutorial)
• return a kubeconfig file where the token is used as user context

Sth like
kyma alpha access --clusterrole={clusterRoleName} --kubeconfig={inputKubeconfig} --output=kubeconfig-sa.yaml --name={my-service-account}, where:

• --name - name of the new SA to be created by kyma cli (mandatory)
• --clusterrole - mandatory - decides which role to bind to the new SA
• --kubeconfig - mandatory (can be consumed from KUBECONFIG env)
• --output - path where to save the output kubeconfig file (optional. if skipped print the kubeconfig (?))
• --namespace - optional (by default create service account in default namespace)
• --time - optional (by deafult grant access for 1h); accepts integer in hours or days. For example --time 3h or --time 2d
• --permanent- optional; Creates an access token based on secret without any time limit

Similar future exists in kyma dashboard on service account detail view

Reasons
It doesn't yet solve getting a kubeconfig for a freshly created cluster in automated way, but it reduces effort of manual configuration for the time until we finally solve the problem. Kyma users are forced to do it (see example) until there is a real solution

Attachments