Post

Creating a Kubeconfig with Limited Permissions

Create a Limited kubeconfig for internal use

Posted Updated
Preview Image
By Alvaro
2 min read
Creating a Kubeconfig with Limited Permissions

Creating a full-access Kubeconfig for your Kubernetes cluster is simple—but not always the most secure approach. In many cases, especially when working with automation, CI/CD pipelines, or giving access to external services, it’s better to generate a more restricted Kubeconfig tailored to specific needs.

In this post, I’ll show you how to create a Kubeconfig with limited permissions, ideal for scenarios where you want to allow just enough access to restart workloads like Pods, Deployments, or StatefulSets—without exposing your entire cluster.

🛡️ Tip: Limit the kubeconfig much as you can!

Prerequisites

Before getting started, make sure you have:

  • Access to a Kubernetes cluster with admin privileges.
  • kubectl installed and configured.
  • A namespace (or namespaces) where the limited user will operate.

Step 1: Create the ServiceAccount

Create a ServiceAccount that will be used to generate the Kubeconfig.

1
2
3
4
5

apiVersion: v1
kind: ServiceAccount
metadata:
  name: restart-bot
  namespace: home-assistant

Step 2: Create the ClusterRole

Create the roles. We are setting up to be able to restart deployments and statefulsets

1
2
3
4
5
6
7
8
9
10

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: restart-any-workload
rules:
  - apiGroups: ["apps"]
    resources:
      - deployments
      - statefulsets
    verbs: ["get", "patch"]

Step 3: Create the RoleBinding

1
2
3
4
5
6
7
8
9
10
11
12
13

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: restart-binding
  namespace: home-assistant
subjects:
  - kind: ServiceAccount
    name: restart-bot
    namespace: home-assistant
roleRef:
  kind: ClusterRole
  name: restart-any-workload
  apiGroup: rbac.authorization.k8s.io

Step 4: Create the token for the ServiceAccount

1
2
3
4
5
6
7
8

apiVersion: v1
kind: Secret
metadata:
  name: restart-bot-token
  namespace: home-assistant
  annotations:
    kubernetes.io/service-account.name: restart-bot
type: kubernetes.io/service-account-token

Step 5: Build your KubeConfig

  • certificate-authority-data: take the value from your original KubeConfig.
  • token: take the value from the secret restart-bot-token created before.

Take the token from your secret and build it:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

apiVersion: v1
kind: Config
clusters:
- name: your-cluster
  cluster:
    server: https://cluster-ip:6443
    certificate-authority-data: <your original certificate>
users:
- name: restart-bot-ha
  user:
    token: <your token>
contexts:
- name: restart-bot-ha-context
  context:
    cluster: your-cluster
    user: restart-bot-ha
    namespace: home-assistant
current-context: restart-bot-ha-context

You are Done! 🚀

kubernetes, security
kubeconfig rbac kubernetes
This post is licensed under CC BY 4.0 by the author.