-
Notifications
You must be signed in to change notification settings - Fork 0
[K8S] SERVICE ACCOUNT RBAC FOR CICD DEPLOYMENT
fourslickz edited this page Jun 27, 2026
·
1 revision
Membuat akun khusus (ServiceAccount) yang hanya memiliki hak akses
untuk melakukan deployment aplikasi ke namespace tertentu, kemudian
membuat kubeconfig yang aman untuk digunakan oleh Jenkins.
Arsitektur:
Jenkins
│
│ kubeconfig
▼
ServiceAccount (cicd-deployer)
│
▼
Role
│
▼
RoleBinding
│
▼
Kubernetes API
Jika namespace belum ada:
kubectl create namespace ayo-pramukaCek:
kubectl get nsserviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: cicd-deployer
namespace: ayo-pramukaApply:
kubectl apply -f serviceaccount.yamlVerifikasi:
kubectl get sa -n ayo-pramukaContoh output:
NAME AGE
cicd-deployer 35s
default 81d
Pada Kubernetes 1.24+, token tidak lagi dibuat otomatis sehingga ini adalah kondisi normal.
role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cicd-deployer
namespace: ayo-pramuka
rules:
- apiGroups: [""]
resources:
- pods
- pods/log
- services
- endpoints
- configmaps
- secrets
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups: ["apps"]
resources:
- deployments
- replicasets
- statefulsets
- daemonsets
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups: ["autoscaling"]
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups: ["batch"]
resources:
- jobs
- cronjobs
verbs:
- get
- list
- watch
- create
- update
- patch
- deleteApply:
kubectl apply -f role.yamlrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cicd-deployer
namespace: ayo-pramuka
subjects:
- kind: ServiceAccount
name: cicd-deployer
namespace: ayo-pramuka
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cicd-deployerApply:
kubectl apply -f rolebinding.yamlHarus diizinkan:
kubectl auth can-i create deployment \
--as=system:serviceaccount:ayo-pramuka:cicd-deployer \
-n ayo-pramukaOutput:
yes
Harus ditolak:
kubectl auth can-i get nodes \
--as=system:serviceaccount:ayo-pramuka:cicd-deployerOutput:
no
kubectl create token cicd-deployer -n ayo-pramukaOpsional meminta durasi lebih panjang:
kubectl create token cicd-deployer \
-n ayo-pramuka \
--duration=8760hCatatan: Pada managed Kubernetes seperti DigitalOcean Kubernetes, durasi maksimum tetap mengikuti kebijakan control plane.
Server API:
kubectl config view --minify \
-o jsonpath='{.clusters[0].cluster.server}'CA Certificate:
kubectl config view --raw --minify \
-o jsonpath='{.clusters[0].cluster.certificate-authority-data}'apiVersion: v1
kind: Config
clusters:
- name: production
cluster:
server: https://YOUR_CLUSTER_ENDPOINT
certificate-authority-data: YOUR_CA_DATA
users:
- name: cicd
user:
token: YOUR_SERVICEACCOUNT_TOKEN
contexts:
- name: production
context:
cluster: production
namespace: ayo-pramuka
user: cicd
current-context: productionexport KUBECONFIG=./kubeconfig.yaml
kubectl get podsCoba akses yang tidak diizinkan:
kubectl get nodesHasil yang diharapkan:
Error from server (Forbidden)
- Manage Jenkins
- Credentials
- Add Credentials
- Kind: Secret file
- Upload
kubeconfig.yaml
Contoh penggunaan di Jenkinsfile:
withCredentials([
file(credentialsId: 'kubeconfig-production', variable: 'KUBECONFIG')
]) {
sh '''
kubectl apply -f k8s/
kubectl rollout status deployment/api -n ayo-pramuka
'''
}- Gunakan satu ServiceAccount untuk setiap environment (
dev,staging,production). - Jangan gunakan kubeconfig administrator untuk CI/CD.
- Simpan kubeconfig sebagai Jenkins Secret File.
- Terapkan prinsip least privilege pada RBAC.
- Backup Jenkins secara terenkripsi karena credential disimpan di
$JENKINS_HOME.