Ansible and k8s: How to get the K8S_AUTH_API_KEY value?
The community.kubernetes collection accepts an api_key parameter that may sounds a bit confusing. It's actually the value of the token of a serviceaccount. It's actually an OAuth 2.0 (Bearer) token, it's associated with a user and a secret key. It's rather similar to what we can do with a login and a password.
In this example, we want to run our playbook as the k8sadmin user. We need to find the token associated with the user. The are actually looks for the a secret. You can list them this way:
[root@kind-vm ~]# kubectl -n kube-system get secret
NAME TYPE DATA AGE
(...)
foobar Opaque 0 5h3m
foobar-token-w8lmt kubernetes.io/service-account-token 3 5h15m
foobar2-token-hpd6f kubernetes.io/service-account-token 3 5h9m
generic-garbage-collector-token-l7hvk kubernetes.io/service-account-token 3 25h
horizontal-pod-autoscaler-token-sssg5 kubernetes.io/service-account-token 3 25h
job-controller-token-dnfds kubernetes.io/service-account-token 3 25h
k8sadmin-token-bklpd kubernetes.io/service-account-token 3 5h40m
(...)
The use the -n parameter to specific the kube-system namespace. Our system account is in the list, it's k8sadmin-token-bklpd. We can see the content of the token with this command:
[root@kind-vm ~]# kubectl -n kube-system describe secret k8sadmin-token-bklpd
Name: k8sadmin-token-bklpd
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: k8sadmin
kubernetes.io/service-account.uid: 412bf773-ca8e-4afa-a778-dac0f11b7807
Type: kubernetes.io/service-account-token
Data
====
namespace: 11 bytes
token: eyJhbGciO(...)2A
ca.crt: 1066 bytes
Here, you're done. The token is in the command output. You need now to pass its content to Ansible. Just keep in mind the token needs to remain secret. So it's a good idea to encrypt it with Ansible Vault.
You can use the K8S_AUTH_API_KEY environment variable to pass the token to the k8s_* modules:
$ K8S_AUTH_API_KEY=eyJhbGciO(...)2A ansible-playbook my_playbook.yaml