Creating Kubernetes Service Accounts and Kubeconfigs for Anonymization Cluster

Steps to create a Kubernetes service account and the role-based access control (RBAC) configuration.

A service account in the anonymization cluster namespace has access to the anonymization namespace. It might also have access to the whole cluster. These permissions for the service account allow the user to create, read, update, and delete objects in the anonymization Kubernetes cluster or the namespace. Additionally, the kubeconfig is required to access the service account using a token.

In this section, you create a Kubernetes service account and the role-based access control (RBAC) configuration manually using kubectl.

Ensure that the user has access to permissions for creating and updating the following resources in the Kubernetes cluster:

  • Kubernetes Service Accounts

  • Kubernetes Roles and Rolebindings

  • Optional: Kubernetes ClusterRoles and Rolebindings

  • Use the steps provided in the followng link to create the namespace and assign the required permissions to the cluster.
    Creating the Service Account

  • Complete the steps provided in the following link to retrieve the tokens for the Protegrity Anonymization API service account and to create a kubeconfig with access to the service account.
    Obtaining the Tokens for the Service Account

Obtaining the Tokens for the Service Account

Complete the steps provided int his section to retrieve the tokens for the Protegrity Anonymization API service account and to create a kubeconfig with access to the service account.

  1. Open a command line interface on the base machine for running the configuration commands.

    Note: A copy of the commands is available in the kubconfigcmd.txt file in the rbac directory of the Protegrity Anonymization API package. Use the code form the file to run the commands.

  2. Set the environment variables for running the configuration commands using the following command.

    SERVICE_ACCOUNT_NAME=anon-service-account
CONTEXT=$(kubectl config current-context)
NAMESPACE=anon-namespace
NEW_CONTEXT=anon-context

SECRET_NAME=$(kubectl get serviceaccount ${SERVICE_ACCOUNT_NAME} -n ${NAMESPACE} --context ${CONTEXT} --namespace ${NAMESPACE} -o jsonpath='{.secrets[0].name}')
TOKEN_DATA=$(kubectl get secret ${SECRET_NAME} -n ${NAMESPACE} --context ${CONTEXT} --namespace ${NAMESPACE} -o  jsonpath='{.data.token}')
TOKEN=$(echo ${TOKEN_DATA} | base64 -d)

    Note: Ensure that you use the appropriate values as per your configuration in the above command.

  3. Set the token in the config credentials using the following command.

    kubectl config set-credentials <username> --token=$TOKEN

    For example,

    kubectl config set-credentials test-user --token=$TOKEN

  4. Retrieve the cluster name using the following command.

    kubectl config get-clusters

  5. Set the context in kubeconfig using the following command.

    kubectl config set-context ${NEW_CONTEXT} --cluster=<name of your cluster> --user=test-user

  6. Set the current context to to use the new anonymization config using the following command.

    kubectl config use-context ${NEW_CONTEXT}

  7. Verify the new context using the following command.

    kubectl config current-context

  8. Verify the status of the pods using the following command.

    kubectl get pods -n <name space>

Creating the Service Account

Use the steps provided in this section to create the namespace and assign the required permissions to the cluster.

  1. Create the Kubernetes Service Account using the following steps.

    1. Navigate to the rbac directory of the extracted Protegrity Anonymization API package.

    2. Open the anon-service-account.yaml file using a text editor.

    3. Update the namespace as per your configuration in the anon-service-account.yaml file.

    4. Save and close the file.

    5. From a command prompt, navigate to the rbac directory and run the following command to create the service account.

      kubectl apply -f anon-service-account.yaml

  2. Grant the appropriate permission to the service account using any one of the following two steps.

    • Grant cluster-admin permissions for the service account to all the namespaces using the following steps.

      Note: You need to run this step only if you want to grant the service account access to all namespaces in your cluster.

      A Kubernetes ClusterRoleBinding is available at the cluster level, but the subject of the ClusterRoleBinding exists in a single namespace. Hence, you must specify the namespace for the service account.

      1. Navigate to the rbac directory of the extracted Protegrity Anonymization API package.

      2. Open the anon-clusterrolebinding.yaml file using a text editor.

      3. Update the namespace as per your configuration in the anon-clusterrolebinding.yaml file.

      4. Save and close the file.

      5. From a command prompt, navigate to the rbac directory and run the following command to assign the appropriate permissions.

        kubectl apply -f anon-clusterrolebinding.yaml

    • Grant namespace-specific permissions to the service account using the following steps.

      Note: You need to run this step only if you want to grant the service account access to just the Protegrity Anonymization API namespace.

      Ensure that you create a role with a set of permissions and rolebinding for attaching the role to the service account.

      1. Navigate to the rbac directory of the extracted Protegrity Anonymization API package.

      2. Open the anon-role-and-rolebinding.yaml file using a text editor.

      3. Update the namespace, role, and service account name as per your configuration in the anon-role-and-rolebinding.yaml file.

      4. Save and close the file.

      5. From a command prompt, navigate to the rbac directory and run the following command to assign the appropriate permissions.

        kubectl apply -f anon-role-and-rolebinding.yaml

Last modified : November 12, 2025