Alauda DevOps Pipelines Docs
  • English

    • Prepare Cluster Access Credential

    This guide shows you how to create a cluster access credential that help you run your Tekton Tasks and Pipelines.

    TOC

    PrerequisitesStepsOption 1: Create a Kubeconfig SecretOption 2: Create a ServiceAccount with RBAC

    Prerequisites

    • kubectl installed and configured to access the cluster.
    • Permissions to read and write Secrets.

    Steps

    Option 1: Create a Kubeconfig Secret

    Provide a kubeconfig with a context that has the right cluster/permissions.

    Keep this kubeconfig minimal (only the context you need). Rotate regularly and scope RBAC tightly.

    You can use the following command to generate a Secret that contains the kubeconfig file. Replace /path/to/kubeconfig with the actual path to your kubeconfig file.

    kubectl -n <target-namespace> create secret generic <kubeconfig-secret-name> --from-file=kubeconfig=/path/to/kubeconfig
    apiVersion: v1
kind: Secret
metadata:
  name: <kubeconfig-secret-name>
  namespace: <target-namespace>
type: Opaque
stringData:
  kubeconfig: |
    # paste a minimal kubeconfig here (with correct context)

    Option 2: Create a ServiceAccount with RBAC

    Use a dedicated ServiceAccount. Bind only the permissions your charts need.

    When to use which scope?

    • Namespaced scope (Role + RoleBinding) — use when your charts manage resources only in one namespace (typical app rollouts).
    • Cluster scope (ClusterRole + ClusterRoleBinding) — required if your charts create cluster-scoped resources (e.g., CRDs, webhooks, ClusterRoles, StorageClasses) or operate across multiple namespaces.

    tips: start with the namespaced Role; grant cluster-scope only when strictly required.

    apiVersion: v1
kind: ServiceAccount
metadata:
  name: <service-account-name>
  namespace: <target-namespace>
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: <role-name>
  namespace: <target-namespace>
rules:
  # Replace with your resources
  - apiGroups: ["apps"]
    resources: ["deployments", "statefulsets", "daemonsets", "replicasets"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: <role-binding-name>
  namespace: <target-namespace>
subjects:
  - kind: ServiceAccount
    name: <service-account-name>
    namespace: <target-namespace>
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: <role-name>