The best way to create an isolated set of credentials for use with Shippable Pipelines is to create a Kubernetes Service Account, and set up a kubeconfig file that utilizes it.

Create the Service Account

  • Make sure you're on a machine that has a kubectl that can interact with your cluster
  • Create a shippable-service-account.yaml file to represent the service account
apiVersion: v1
kind: ServiceAccount
  name: shippable-deploy #any name you'd like
  • Use kubectl to create the service account on the master
$ kubectl create -f shippable-service-account.yaml
serviceaccount "shippable-deploy" created

Create the kubeconfig file

  • SSH into the Bastion host and from there, SSH into your Kubernetes master node and run the following commands. Copy the output of this file which gives you the kubeconfig.
$ sudo su -
$ cat /etc/kubernetes/admin.conf
  • Paste the contents into the KubeConfig File textbox. NOTE: if you don't want to use your admin.conf, you can set up a serviceAccount as described here.

Copy the contents of your kubeconfig file, usually found at ~/.kube/config, that contains credentials for accessing your Kubernetes cluster. You may copy the entire kubeconfig file or only the details related to a particular cluster

  • Start by copying the existing kubeconfig from kubectl to a file, and get ready to modify it
$ kubectl config view --flatten --minify > myConfig.config
  • Use kubectl to describe the service account so you can see its details
$ kubectl describe serviceAccounts shippable-deploy
Name:       shippable-deploy
Namespace:  default
Labels:     <none>
Annotations:    <none>

Image pull secrets: <none>

Mountable secrets:  shippable-deploy-token-h6pdj

Tokens:             shippable-deploy-token-h6pdj
  • Now describe the secret token associated with the account
$ kubectl describe secrets shippable-deploy-token-h6pdj
Name:       shippable-deploy-token-h6pdj
Namespace:  default
Labels:     <none>


ca.crt:     1119 bytes
namespace:  7 bytes
token:      eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3Nlcn...
  • Modify the kubeconfig file to utilize the serviceAccount token.
apiVersion: v1
kind: Config
- name: shippable-deploy
    token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3Nlcn...
- name: my-kube-cluster
     certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREREND...
- context:
    cluster: my-kube-cluster
    user: shippable-deploy
  name: shippable-context
current-context: shippable-context
  • Make sure the user is the name of the serviceAccount, and check that it is updated in the users section as well as the context section.
  • Check that the current-context states the name of the context that references the correct cluster and the correct serviceAccount user.
  • This assumes that the kubeconfig you started with already had the server and certificate authority information.
  • Finally, take this kubeconfig file that you created, and use it for your Shippable Kubernetes Integration.