100daysofdevops/access_to_kubernetes_space.txt

## access_to_kubernetes_space.txt
1. Create a Namespace
# Create a namespace named 'devops'
kubectl create ns devops

2. Create a Private Key for the User
# Generate a 2048-bit RSA private key for the user
openssl genrsa -out prashant.key 2048

3. Create a Certificate Signing Request (CSR) for the User

# Create a CSR with the specified subject
openssl req -new -key prashant.key -out prashant.csr -subj "/CN=prashant/O=devops"

4. Kubernetes Admin Signs the CSR
The next step involves the Kubernetes administrator. The user sends the prashant.csr file securely to the admin, who then signs it using the Kubernetes certificate authority's (CA) private key and certificate.
openssl x509 -req -in prashant.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out prashant.crt -days 365

5. Admin Creates a Kubeconfig File for the User

# Set the cluster details in the kubeconfig file
kubectl --kubeconfig prashant.kubeconfig config set-cluster kubernetes --server https://<controlplane server>:6443 --certificate-authority=ca.crt
Note: The ca.crt file is directly passed here. Alternatively, you can use the following command to change the variable name to certificate-authority-data:
cat ca.crt | base64 -w0

6. Adding the User to Kubeconfig

# Add user credentials to the kubeconfig
kubectl --kubeconfig prashant.kubeconfig config set-credentials prashant --client-certificate /root/prashant.crt --client-key /root/prashant.key

7. Set and Use the Context
# Define and use the new context
kubectl --kubeconfig prashant.kubeconfig config set-context prashant-kubernetes --cluster kubernetes --namespace devops --user prashant
kubectl --kubeconfig prashant.kubeconfig config use-context prashant-kubernetes
Note: To check your Kubernetes server configuration, use the kubectl config view command. You can also modify an existing kubeconfig file based on your requirements instead of creating a new one.

8. Permissions for the User
Initially, when user prashant tries to execute commands, they will fail due to lack of defined roles/rolebindings:
kubectl --kubeconfig prashant.kubeconfig get pods
Error: pods is forbidden...

9. Define Role and RoleBinding for User Access
# Create a role with specific resource permissions in the 'devops' namespace
kubectl create role prashant-devops --verb=get,list --resource=pods --namespace=devops

# Associate the user with the role through a rolebinding
kubectl create rolebinding prashant-devops-rolebinding --role prashant-devops --user=prashant --namespace=devops
Now, user prashant can list pods in the 'devops' namespace but not in others:

kubectl --kubeconfig prashant.kubeconfig get pods -n devops
# Output: Details of pods in the 'devops' namespace

kubectl --kubeconfig prashant.kubeconfig get pods -n default
# Error: Forbidden...

10. Scalable Solution: Group-Based Role Assignments
As a more scalable solution, assign permissions to groups instead of individual users. Recall that the CSR included an Organization (O) set as 'devops':

kubectl create rolebinding prashant-devops-rolebinding --role prashant-devops --group=devops --namespace=devops
This way, any user part of the 'devops' group inherits the permissions.

11. Alternative: Using Kubernetes Built-in Certificates API
Another method involves the Kubernetes admin using the built-in Certificates API for handling CSR requests. Instead of manually signing CSRs, the admin can create and approve CSRs through Kubernetes:

# Example Certificate Signing Request creation
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
...
EOF

# To view and approve the request
kubectl get csr
kubectl certificate approve prashant
Note: Controller manager handles certificate operations, with specific controllers for CSR approving and signing tasks.
	1. Create a Namespace
	# Create a namespace named 'devops'
	kubectl create ns devops

	2. Create a Private Key for the User
	# Generate a 2048-bit RSA private key for the user
	openssl genrsa -out prashant.key 2048

	3. Create a Certificate Signing Request (CSR) for the User

	# Create a CSR with the specified subject
	openssl req -new -key prashant.key -out prashant.csr -subj "/CN=prashant/O=devops"

	4. Kubernetes Admin Signs the CSR
	The next step involves the Kubernetes administrator. The user sends the prashant.csr file securely to the admin, who then signs it using the Kubernetes certificate authority's (CA) private key and certificate.
	openssl x509 -req -in prashant.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out prashant.crt -days 365

	5. Admin Creates a Kubeconfig File for the User

	# Set the cluster details in the kubeconfig file
	kubectl --kubeconfig prashant.kubeconfig config set-cluster kubernetes --server https://<controlplane server>:6443 --certificate-authority=ca.crt
	Note: The ca.crt file is directly passed here. Alternatively, you can use the following command to change the variable name to certificate-authority-data:
	cat ca.crt \| base64 -w0

	6. Adding the User to Kubeconfig

	# Add user credentials to the kubeconfig
	kubectl --kubeconfig prashant.kubeconfig config set-credentials prashant --client-certificate /root/prashant.crt --client-key /root/prashant.key

	7. Set and Use the Context
	# Define and use the new context
	kubectl --kubeconfig prashant.kubeconfig config set-context prashant-kubernetes --cluster kubernetes --namespace devops --user prashant
	kubectl --kubeconfig prashant.kubeconfig config use-context prashant-kubernetes
	Note: To check your Kubernetes server configuration, use the kubectl config view command. You can also modify an existing kubeconfig file based on your requirements instead of creating a new one.

	8. Permissions for the User
	Initially, when user prashant tries to execute commands, they will fail due to lack of defined roles/rolebindings:
	kubectl --kubeconfig prashant.kubeconfig get pods
	Error: pods is forbidden...

	9. Define Role and RoleBinding for User Access
	# Create a role with specific resource permissions in the 'devops' namespace
	kubectl create role prashant-devops --verb=get,list --resource=pods --namespace=devops

	# Associate the user with the role through a rolebinding
	kubectl create rolebinding prashant-devops-rolebinding --role prashant-devops --user=prashant --namespace=devops
	Now, user prashant can list pods in the 'devops' namespace but not in others:

	kubectl --kubeconfig prashant.kubeconfig get pods -n devops
	# Output: Details of pods in the 'devops' namespace

	kubectl --kubeconfig prashant.kubeconfig get pods -n default
	# Error: Forbidden...

	10. Scalable Solution: Group-Based Role Assignments
	As a more scalable solution, assign permissions to groups instead of individual users. Recall that the CSR included an Organization (O) set as 'devops':

	kubectl create rolebinding prashant-devops-rolebinding --role prashant-devops --group=devops --namespace=devops
	This way, any user part of the 'devops' group inherits the permissions.

	11. Alternative: Using Kubernetes Built-in Certificates API
	Another method involves the Kubernetes admin using the built-in Certificates API for handling CSR requests. Instead of manually signing CSRs, the admin can create and approve CSRs through Kubernetes:

	# Example Certificate Signing Request creation
	cat <<EOF \| kubectl apply -f -
	apiVersion: certificates.k8s.io/v1
	kind: CertificateSigningRequest
	...
	EOF

	# To view and approve the request
	kubectl get csr
	kubectl certificate approve prashant
	Note: Controller manager handles certificate operations, with specific controllers for CSR approving and signing tasks.