Imagine that after using Jenkins successfully to build your application container, you then use kubectl to update deployment to roll out a new binary. To do that, invoke a kubectl command from the inside of a Jenkins pod. In this scenario, we need a credential to communicate to the Kubernetes master.

Fortunately, Kubernetes supports this kind of scenario, which uses a service account. It is described in detail in Chapter 8, Advanced Cluster Administration. So, this recipe will use the simplest way, which uses the default namespace and cluster-admin ClusterRole.

To check whether RBAC is enabled and also if the cluster-admin ClusterRole exists or not, type the kubectl get clusterrole command:

$ kubectl get clusterrole cluster-admin
NAME            AGE
cluster-admin   42m

 Next, create a service account, jenkins-sa, which will be used by a Jenkins pod. Prepare the following YAML configuration, and type the kubectl create command to create it:

$ cat jenkins-serviceaccount.yaml 
apiVersion: v1
kind: ServiceAccount
metadata:
  name: jenkins-sa
  namespace: default


$ kubectl create -f jenkins-serviceaccount.yaml 
serviceaccount "jenkins-sa" created 

Now we can associate the jenkins-sa service account with a cluster-admin ClusterRole. Prepare a ClusterRoleBinding configuration and run the kubectl create command:

$ cat jenkins-cluteradmin.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: jenkins-cluster-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: jenkins-sa
  namespace: default


$ kubectl create -f jenkins-cluster-admin.yaml 
clusterrolebinding.rbac.authorization.k8s.io "jenkins-cluster-admin" created 

In the result, if a pod is launched with the service account jenkins-sa, this Pod has the privilege to control a Kubernetes cluster because of the cluster-admin ClusterRole.