Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ---make sure you have openssl installed
- openssl genrsa -out bwagoner.pem 2048
- ----The CN in the next line is how you will be referenced in kubernetes rolebindings.
- openssl req -new -key bwagoner.pem -out bwagoner.csr -subj "/CN=bwagoner"
- ----If you want the user to be part of some groups, the previous line would look something like-----
- openssl req -new -key bwagoner.pem -out bwagoner.csr -subj "/CN=bwagoner/O=app1/O=app2"
- cat bwagoner.csr | base64 | tr -d '\n'
- vi bwagoner.req
- apiVersion: certificates.k8s.io/v1beta1
- kind: CertificateSigningRequest
- metadata:
- name: user-request-bwagoner
- spec:
- groups:
- - system:authenticated
- request: paste base 64 csr here from the cat bwagoner.csr line
- usages:
- - digital signature
- - key encipherment
- - client auth
- kubectl create -f bwagoner.req
- kubectl get csr
- kubectl certificate approve user-request-bwagoner
- kubectl get csr user-request-bwagoner -o jsonpath='{.status.certificate}' | base64 -d > bwagoner.crt
- copy existing kubeconfig and replace "client-certificate-data:" and "client-key-data:" with these respectively:
- cat bwagoner.crt |base64 |tr -d '\n'
- cat bwagoner.pem |base64 |tr -d '\n'
- Also change username and name fields accordingly in that new kubeconfig file. those fields only really effect the local kubeconfig file and are not the usernames used by kubernetes. give new kubeconfig to client.
- ------------authorization--------
- roles are namespace based and clusterroles are clusterwide
- kubectl get clusterroles admin -o yaml
- kubectl create rolebinding bwagoner --clusterrole=admin --user=bwagoner --dry-run -o yaml
- kubectl create rolebinding bwagoner --clusterrole=admin --user=bwagoner
- -----optional: limit user to one namespace--------
- kubectl create namespace foo
- vi test.yml
- ---
- apiVersion: v1
- kind: Role
- apiVersion: rbac.authorization.k8s.io/v1beta1
- metadata:
- name: limited-to-foo-namespace
- namespace: foo
- rules:
- - apiGroups: ["", "extensions", "apps"]
- resources: ["*"]
- verbs: ["*"]
- - apiGroups: ["batch"]
- resources:
- - jobs
- - cronjobs
- verbs: ["*"]
- ---
- kind: RoleBinding
- apiVersion: rbac.authorization.k8s.io/v1beta1
- metadata:
- name: limited-to-foo-binding
- namespace: foo
- subjects:
- - kind: User
- name: bwagoner
- namespace: foo
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: limited-to-foo-namespace
- kubectl create -f test.yml
- --------if you don't want to have to specify the locked down namespace in every command on the client side then update your kubeconfig file----
- kubectl config set-context $(kubectl config current-context) --namespace=foo
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement