Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Kubernetes kubectl Authenticate with Keys ClusterRoleBinding RBAC

Using x509 Certificate:

https://www.udemy.com/draft/1522024/learn/lecture/9624320#questions/7312846

Authentication

official docs: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#x509-client-certs tuto: https://www.linkedin.com/pulse/adding-users-quick-start-kubernetes-aws-jakub-scholz/

# generate the private key
openssl genrsa -out kabdennour.pem 2048

#  certificate signing request
openssl req -new -key kabdennour.pem -out kabdennour.csr -subj "/CN=kabdennour/O=app1/O=app2"

# encode CSR
ENCODED_CS=$(cat kabdennour.csr | base64 | tr -d '\n');

# Add CSR resource
REQUEST_NAME=user-request-kabdennour

cat > kabdennour-csr.yaml <<EOF
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: ${REQUEST_NAME}
spec:
  groups:
  - system:authenticated
  request: ${ENCODED_CS}
  usages:
  - digital signature
  - key encipherment
  - client auth

EOF

# Deploy the k8s resource
kubectl create -f kabdennour-csr.yaml

# Verify if it's work
kubectl certificate approve $REQUEST_NAME

#Now the certificate should be signed. You can download the new signed public key from the csr resource:
kubectl get csr $REQUEST_NAME -o jsonpath='{.status.certificate}' | base64 -D > kabdennour.crt
#============
#==================
#====================
kubectl get csr am.toumi@takamol.com.sa -o jsonpath='{.status.certificate}' | base64 -D >
# KUBECONFIG edition ------

# Work with separated config file instead of ~/.kube/config
export CLUSTER_NAME=gke_learning-201002_us-central1-a_cluster-learning # in gcloud, it is concatenation of gke_${project_id}_${zone}_${cluster_name}
export KUBECONFIG=mycluster.config
#dump configuration into that file
gcloud container --project learning-201002  clusters get-credentials cluster-learning --zone us-central1-a

# Add the new user "kabdennour" to KUBECONFIG
kubectl --kubeconfig $KUBECONFIG config set-credentials kabdennour --client-certificate=kabdennour.crt --client-key=kabdennour.pem --embed-certs=true
# --- it will generate "client-certificate-data" which is $(cat kabdennour.crt | base64)
# --- also it generate "client-key-data" which is $(cat kabdennour.pem | base64)
#
# Add context for that user
kubectl --kubeconfig $KUBECONFIG config set-context ctx-kabdennour --cluster=$CLUSTER_NAME --user=kabdennour

# Use that context
kubectl --kubeconfig $KUBECONFIG config use-context ctx-kabdennour
  • By now, the user kabdennour is authenticated but not authorized.

Authorization - RBAC

  • Note, ClusterRole is for all namespaces, Role works only with one space.
  • Respec., there is RoleBinding and ClusterRoleBinding
# Create role (cluster scoped) and the binding in one file
cat > user-kabdennour-authorization.yaml <<EOF
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: partial-reader
rules:
- apiGroups: [""]
  resources: ["pods", "nodes", "deployments"]
  verbs: ["get", "watch", "list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: kabdennour-partial-read
subjects:
- kind: User
  name: kabdennour
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: partial-reader
  apiGroup: rbac.authorization.k8s.io
EOF
# Deploy the role
kubectl create -f user-kabdennour-authorization.yaml
  • You might not need to create ClusterRole (partial-reader) since there are pre-defined roles like: view, edit, admin. kubectl get clusterroles system:basic-user -o yaml

Troubleshooting

  • if y'r using GCP, you may need to play with container/use_client_certificate set or unset
gcloud config set container/use_client_certificate True
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment