After a research and try and failure, I found another way to do it, without messing around with shell scripts.
You just need to apply the following to Kubernetes, It will create a ServiceAccount and bind it to a custom Role, that role will have the permissions to create/delete deployments and pods (tweak it for services permissions).
deploy-robot-conf.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: deploy-robot
automountServiceAccountToken: false
---
apiVersion: v1
kind: Secret
metadata:
name: deploy-robot-secret
annotations:
kubernetes.io/service-account.name: deploy-robot
type: kubernetes.io/service-account-token
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: deploy-robot-role
namespace: default
rules: # ## Customize these to meet your requirements ##
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["create", "delete"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["create", "delete"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: global-rolebinding
namespace: default
subjects:
- kind: ServiceAccount
name: deploy-robot
namespace: default
roleRef:
kind: Role
name: deploy-robot-role
apiGroup: rbac.authorization.k8s.io
This will have the minimum permissions needed for Azure DevOps be able to deploy to the cluster.
Note: Please tweak the rules at the role resource to meet your need, for instance services resources permissions.
Then go to your release and create a Kubernetes Service Connection:
Fill the boxes, and follow the steps required to get your secret from the service account, remember that is deploy-robot if you didn't change the yaml file.
And then just use your Kubernetes Connection:
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
