Advertisement
wagz

RBAC quick Instructions

Nov 2nd, 2018
204
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ---make sure you have openssl installed
  2. openssl genrsa -out bwagoner.pem 2048
  3. ----The CN in the next line is how you will be referenced in kubernetes rolebindings.
  4. openssl req -new -key bwagoner.pem -out bwagoner.csr -subj "/CN=bwagoner"
  5. ----If you want the user to be part of some groups, the previous line would look something like-----
  6. openssl req -new -key bwagoner.pem -out bwagoner.csr -subj "/CN=bwagoner/O=app1/O=app2"
  7.  
  8. cat bwagoner.csr | base64 | tr -d '\n'
  9.  
  10. vi bwagoner.req
  11.  
  12. apiVersion: certificates.k8s.io/v1beta1
  13. kind: CertificateSigningRequest
  14. metadata:
  15.   name: user-request-bwagoner
  16. spec:
  17.   groups:
  18.  - system:authenticated
  19.   request: paste base 64 csr here from the cat bwagoner.csr line
  20.   usages:
  21.  - digital signature
  22.   - key encipherment
  23.   - client auth
  24.  
  25. kubectl create -f bwagoner.req
  26. kubectl get csr
  27. kubectl certificate approve user-request-bwagoner
  28. kubectl get csr user-request-bwagoner -o jsonpath='{.status.certificate}' | base64 -d > bwagoner.crt
  29.  
  30. copy existing kubeconfig and replace "client-certificate-data:" and "client-key-data:" with these respectively:
  31. cat bwagoner.crt |base64 |tr -d '\n'
  32. cat bwagoner.pem |base64 |tr -d '\n'
  33.  
  34. Also change username and name fields accordingly in that new kubeconfig file. those fields only really effect the local kubeconfig file and are not the usernames used by kubernetes. give new kubeconfig to client.
  35.  
  36. ------------authorization--------
  37. roles are namespace based and clusterroles are clusterwide
  38. kubectl get clusterroles admin -o yaml
  39. kubectl create rolebinding bwagoner --clusterrole=admin --user=bwagoner --dry-run -o yaml
  40. kubectl create rolebinding bwagoner --clusterrole=admin --user=bwagoner
  41.  
  42. -----optional: limit user to one namespace--------
  43. kubectl create namespace foo
  44.  
  45. vi test.yml
  46.  
  47. ---
  48. apiVersion: v1
  49. kind: Role
  50. apiVersion: rbac.authorization.k8s.io/v1beta1
  51. metadata:
  52.   name: limited-to-foo-namespace
  53.   namespace: foo
  54. rules:
  55. - apiGroups: ["", "extensions", "apps"]
  56.   resources: ["*"]
  57.   verbs: ["*"]
  58. - apiGroups: ["batch"]
  59.   resources:
  60.  - jobs
  61.   - cronjobs
  62.   verbs: ["*"]
  63.  
  64. ---
  65. kind: RoleBinding
  66. apiVersion: rbac.authorization.k8s.io/v1beta1
  67. metadata:
  68.   name: limited-to-foo-binding
  69.   namespace: foo
  70. subjects:
  71. - kind: User
  72.   name: bwagoner
  73.   namespace: foo
  74. roleRef:
  75.   apiGroup: rbac.authorization.k8s.io
  76.   kind: Role
  77.   name: limited-to-foo-namespace
  78.  
  79. kubectl create -f test.yml
  80.  
  81. --------if you don't want to have to specify the locked down namespace in every command on the client side then update your kubeconfig file----
  82. kubectl config set-context $(kubectl config current-context) --namespace=foo
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement