This post demonstrates how to properly generate kubeconfig files for OpenShift ServiceAccounts, enabling secure token-based authentication and TLS connections. You will learn how to create ServiceAccounts, generate time-limited tokens, bundle CA certificates, and package everything into a distributable kubeconfig file that can be stored as a Secret for download.

Creating a Kubeconfig for OpenShift ServiceAccounts

As an admin, you can generate kubeconfig files for your users to leverage with their ServiceAccounts. Here are the detailed steps. 🚶

Prerequisites

• 🔧 Establish some default values

export API_SERVER='api.agent.lab.bewley.net:6443'
export SERVICE_ACCOUNT='demo-sa'
export KUBECONFIG_SA="kubeconfig-$SERVICE_ACCOUNT"
export NAMESPACE='demo-kubeconfig'
export DURATION='1h'

• 💻 Login to the cluster as admin (See how I manage my kubeconfigs)

source ~/.kube/ocp/agent/.env
echo $KUBECONFIG
/Users/dale/.kube/ocp/agent/kubeconfig

oc config current-context
default/api-agent-lab-bewley-net:6443/system:admin

oc whoami
system:admin

• 🔑 Gather the API CA certificate

export API_CERT=$(oc get secret  loadbalancer-serving-signer \
                    -n openshift-kube-apiserver-operator \
                    -o jsonpath='{.data.tls\.crt}' | base64 -d)

• 🔑 Gather the ingress CA certificate

export INGRESS_CERT=$(oc get secret router-ca \
                        -n openshift-ingress-operator \
                        -o jsonpath='{.data.tls\.crt}' | base64 -d)

• 🔑 save the certificates to a bundle

cat <<EOF > ca-bundle.crt
$API_CERT
$INGRESS_CERT
EOF

• ✅ You may use curl to verify the CA for API

curl --cacert ./ca-bundle.crt https://$API_SERVER/healthz 
ok%  

📝 Pro Tip Viewing CA certificate details

You may use the openssl x509 command to examine certificate details like expiration dates.

$ echo $API_CERT | openssl x509 -noout -dates -issuer -subject
notBefore=Mar 17 20:50:37 2025 GMT
notAfter=Mar 15 20:50:37 2035 GMT
issuer=OU=openshift, CN=kube-apiserver-lb-signer
subject=OU=openshift, CN=kube-apiserver-lb-signer
#
$ echo $INGRESS_CERT | openssl x509 -noout -dates -issuer -subject 
notBefore=Mar 17 21:39:50 2025 GMT
notAfter=Mar 17 21:39:51 2027 GMT
issuer=CN=ingress-operator@1742247591
subject=CN=ingress-operator@1742247591

Creating a ServiceAccount and Token

• 🔧 Create a new project and avoied adding the new context to our current $KUBECONFIG

oc new-project $NAMESPACE\
 --display-name='Demo SA Kubeconfig Mgmt'\
 --description='See https://github.com/dlbewley/demo-kubeconfig'\
 --skip-config-write

• 🤖 Create a service account

oc create serviceaccount $SERVICE_ACCOUNT -n $NAMESPACE

⚠️ Caution Tokens are copyable keys! Your cluster can be accessed just by having a copy of the token. You might consider setting an expiration date by using the --duration option when generating tokens.

• 🔑 Create a token for the service account that lasts for a limited duration

export TOKEN=$(oc create token -n $NAMESPACE $SERVICE_ACCOUNT --duration=$DURATION)

📝 Pro Tip If you are curious to see the JWT token contents try this:

echo $TOKEN | cut -d '.' -f2 | base64 -d | jq                   
{
  "aud": [
    "https://kubernetes.default.svc"
  ],
  "exp": 1744146844,
  "iat": 1744143244,
  "iss": "https://kubernetes.default.svc",
  "jti": "e4510577-5955-4eb4-9f97-dec4f0e6dc34",
  "kubernetes.io": {
    "namespace": "demo-kubeconfig",
    "serviceaccount": {
      "name": "demo-sa",
      "uid": "73a74060-e67d-4b1a-ad56-e92227732d53"
    }
  },
  "nbf": 1744143244,
  "sub": "system:serviceaccount:demo-kubeconfig:demo-sa"
}
TS_ISSUED=$(echo $TOKEN | cut -d '.' -f2 | base64 -d | jq '.iat')
TS_EXPIRATION=$(echo $TOKEN | cut -d '.' -f2 | base64 -d | jq '.exp')

# view the issued and expiry times
date -r $TS_EXPIRATION # on MacOS
Tue Apr  8 14:14:04 PDT 2025
# date -d @$TS_EXPIRATION # on Linux

Generating a Kubeconfig

Logging into a cluster for the first time will create a kubeconfig file. By default this will be at the location defined in ~/.kube/config or the value found in the optional $KUBECONFIG environment variable.

• 🔧 Create kubeconfig file for $SERVICE_ACCOUNT in $NAMESPACE and avoid insecure connection by referencing the CA bundle created above

oc login --server=$API_SERVER \
  --token=$TOKEN \
  --certificate-authority=./ca-bundle.crt \
  --kubeconfig=$KUBECONFIG_SA

• 🔑 Insert the ca-bundle.crt into the kubeconfig file

oc config set-cluster $API_SERVER --embed-certs --certificate-authority=./ca-bundle.crt \
  --server https://$API_SERVER --kubeconfig="$KUBECONFIG_SA"

• ✅ Verify that using the kubeconfig file works

oc whoami --kubeconfig=$KUBECONFIG_SA
system:serviceaccount:demo-kubeconfig:demo-sa

# 🔒 the service account will have limited permissions until RBAC is configured"
oc get sa --kubeconfig=$KUBECONFIG_SA
Error from server (Forbidden): serviceaccounts is forbidden:...

The permissions of the serviceaccount may need to be adjusted through the application of RBAC, but you can now distribute the kubeconfig.

Storing the Generated Kubeconfig in a Secret

The kubeconfig file may now be placed into a Secret where it can be downloaded from the OpenShift console or with the oc extract command.

oc create secret -n $NAMESPACE generic $KUBECONFIG_SA \
   --from-file=kubeconfig=$KUBECONFIG_SA
secret/kubeconfig-demo-sa created

oc describe secrets/$KUBECONFIG_SA -n $NAMESPACE
Name:         kubeconfig-demo-sa
Namespace:    demo-kubeconfig
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
kubeconfig:  5191 bytes

Demo

Demo (source): Enabling OpenShift Service Accounts to use Token Authentication in Kubeconfigs

📺 ASCII Screencast

Setup bridge & network attachment, create VMs, test networking, and cleanup.

References

• Oc Token Creation - OpenShift Documentation
• Demo Script
• Demo Repo
• How to create kubeconfig for a certain serviceaccount - Red Hat KCS
• Unable to get ServiceAccount token in OpenShift 4 - Red Hat KCS
• OpenShift RFE to Add Download from Console

See also:

• Storing OpenShift Credentials with 1Password
• Extracting TLS CA Certificates from Kubeconfig File