https://www.udemy.com/draft/1522024/learn/lecture/9624320#questions/7312846
Authentication
official docs: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#x509-client-certs tuto: https://www.linkedin.com/pulse/adding-users-quick-start-kubernetes-aws-jakub-scholz/
# generate the private key
openssl genrsa -out kabdennour.pem 2048
# certificate signing request
openssl req -new -key kabdennour.pem -out kabdennour.csr -subj "/CN=kabdennour/O=app1/O=app2"
# encode CSR
ENCODED_CS=$(cat kabdennour.csr | base64 | tr -d '\n');
# Add CSR resource
REQUEST_NAME=user-request-kabdennour
cat > kabdennour-csr.yaml <<EOF
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: ${REQUEST_NAME}
spec:
groups:
- system:authenticated
request: ${ENCODED_CS}
usages:
- digital signature
- key encipherment
- client auth
EOF
# Deploy the k8s resource
kubectl create -f kabdennour-csr.yaml
# Verify if it's work
kubectl certificate approve $REQUEST_NAME
#Now the certificate should be signed. You can download the new signed public key from the csr resource:
kubectl get csr $REQUEST_NAME -o jsonpath='{.status.certificate}' | base64 -D > kabdennour.crt
#============
#==================
#====================
kubectl get csr am.toumi@takamol.com.sa -o jsonpath='{.status.certificate}' | base64 -D >
# KUBECONFIG edition ------
# Work with separated config file instead of ~/.kube/config
export CLUSTER_NAME=gke_learning-201002_us-central1-a_cluster-learning # in gcloud, it is concatenation of gke_${project_id}_${zone}_${cluster_name}
export KUBECONFIG=mycluster.config
#dump configuration into that file
gcloud container --project learning-201002 clusters get-credentials cluster-learning --zone us-central1-a
# Add the new user "kabdennour" to KUBECONFIG
kubectl --kubeconfig $KUBECONFIG config set-credentials kabdennour --client-certificate=kabdennour.crt --client-key=kabdennour.pem --embed-certs=true
# --- it will generate "client-certificate-data" which is $(cat kabdennour.crt | base64)
# --- also it generate "client-key-data" which is $(cat kabdennour.pem | base64)
#
# Add context for that user
kubectl --kubeconfig $KUBECONFIG config set-context ctx-kabdennour --cluster=$CLUSTER_NAME --user=kabdennour
# Use that context
kubectl --kubeconfig $KUBECONFIG config use-context ctx-kabdennour
- By now, the user
kabdennour
is authenticated but not authorized.
Authorization - RBAC
- Note, ClusterRole is for all namespaces, Role works only with one space.
- Respec., there is RoleBinding and ClusterRoleBinding
# Create role (cluster scoped) and the binding in one file
cat > user-kabdennour-authorization.yaml <<EOF
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: partial-reader
rules:
- apiGroups: [""]
resources: ["pods", "nodes", "deployments"]
verbs: ["get", "watch", "list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: kabdennour-partial-read
subjects:
- kind: User
name: kabdennour
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: partial-reader
apiGroup: rbac.authorization.k8s.io
EOF
# Deploy the role
kubectl create -f user-kabdennour-authorization.yaml
- You might not need to create ClusterRole (
partial-reader
) since there are pre-defined roles like: view, edit, admin.kubectl get clusterroles system:basic-user -o yaml
Troubleshooting
- if y'r using GCP, you may need to play with
container/use_client_certificate
set or unset
gcloud config set container/use_client_certificate True