Alauda DevOps Pipelines Docs

Prepare Cluster Access Credential

This guide shows you how to create a cluster access credential that help you run your Tekton Tasks and Pipelines.

TOC

Prerequisites

  • kubectl installed and configured to access the cluster.
  • Permissions to read and write Secrets.

Steps

Option 1: Create a Kubeconfig Secret

Provide a kubeconfig with a context that has the right cluster/permissions.

Keep this kubeconfig minimal (only the context you need). Rotate regularly and scope RBAC tightly.

You can use the following command to generate a Secret that contains the kubeconfig file. Replace /path/to/kubeconfig with the actual path to your kubeconfig file.

kubectl -n <target-namespace> create secret generic <kubeconfig-secret-name> --from-file=kubeconfig=/path/to/kubeconfig
apiVersion: v1
kind: Secret
metadata:
  name: <kubeconfig-secret-name>
  namespace: <target-namespace>
type: Opaque
stringData:
  kubeconfig: |
    # paste a minimal kubeconfig here (with correct context)

Option 2: Create a ServiceAccount with RBAC

Use a dedicated ServiceAccount. Bind only the permissions your charts need.

When to use which scope?

  • Namespaced scope (Role + RoleBinding) — use when your charts manage resources only in one namespace (typical app rollouts).
  • Cluster scope (ClusterRole + ClusterRoleBinding) — required if your charts create cluster-scoped resources (e.g., CRDs, webhooks, ClusterRoles, StorageClasses) or operate across multiple namespaces.

tips: start with the namespaced Role; grant cluster-scope only when strictly required.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: <service-account-name>
  namespace: <target-namespace>
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: <role-name>
  namespace: <target-namespace>
rules:
  # Replace with your resources
  - apiGroups: ["apps"]
    resources: ["deployments", "statefulsets", "daemonsets", "replicasets"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: <role-binding-name>
  namespace: <target-namespace>
subjects:
  - kind: ServiceAccount
    name: <service-account-name>
    namespace: <target-namespace>
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: <role-name>