Skip to content

Instantly share code, notes, and snippets.

@abdennour

abdennour/authentication.sh

Last active June 15, 2019 13:58
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save abdennour/933ee9675965c25113031d1bd9639f0f to your computer and use it in GitHub Desktop.
Save abdennour/933ee9675965c25113031d1bd9639f0f to your computer and use it in GitHub Desktop.
Download ZIP
Add New Kubernetes User with Role biding
Raw
authentication.sh
#!/bin/bash
# Usage: $0 myuser
k_user=${1}
#...
# 1. Step one: This new User generate a private key
openssl genrsa -out ${k_user}.pem 2048
# ==> DO NOT SHARE THIS PRIVATE KEY with anyone as it acts like your password.
# 2. Step two: Generate the CSR ( certificate signing request ) :
openssl req -new -key ${k_user}.pem -out ${k_user}.csr -subj "/CN=${k_user}/O=app1/O=app2"
# 3. Deploy the CSR request , namely "certificates.k8s.io" API :
# encode CSR
ENCODED_CS=$(cat ${k_user}.csr | base64 | tr -d '\n');
cat > ${k_user}-csr.yaml <<EOF
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: ${k_user}
spec:
groups:
- system:authenticated
request: ${ENCODED_CS}
usages:
- digital signature
- key encipherment
- client auth
EOF
# Send the request to the cluster
kubectl create -f ${k_user}-csr.yaml
# 4. Your cluster's administrator must approve this CSR request.
kubectl certificate approve ${k_user}
# 5. By Now the certificate should be signed. Your cluster's admin can download the new signed public key (crt) from the csr resource and deliver it to you.
kubectl get csr ${k_user} -o jsonpath='{.status.certificate}' | base64 -D > ${k_user}.crt
Raw
authorization-customrole.sh
#!/bin/bash
## Bind role to user
## Usage: $0 myuser
k_user=${1}
# Create role (cluster scoped) and the binding in one file
cat > ${k_user}-authorization.yaml <<EOF
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: partial-reader
rules:
- apiGroups: [""]
resources: ["pods", "nodes", "deployments"]
verbs: ["get", "watch", "list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: ${k_user}-partial-read
subjects:
- kind: User
name: ${k_user}
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: partial-reader
apiGroup: rbac.authorization.k8s.io
EOF
# Deploy the role
kubectl create -f ${k_user}-authorization.yaml
Raw
authorization-predefined-role.sh
#!/bin/bash
## Bind role to user
## Usage: $0 <myuser> <myrole>
## $0 abdennour view
k_user=${1}
k_role=${2}
# Create role (cluster scoped) and the binding in one file
cat > ${k_user}-authorization.yaml <<EOF
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: ${k_user}-partial-read
subjects:
- kind: User
name: ${k_user}
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: ${k_role}
apiGroup: rbac.authorization.k8s.io
EOF
# Deploy the role
kubectl create -f ${k_user}-authorization.yaml
Raw
set-kubeconfig.sh
#!/bin/bash
# Usage: $0 myuser cluster_name
k_user=${1}
cluster=${2} # cluser name already defined in kubeconfig
# Add the new user to KUBECONFIG
kubectl --kubeconfig $KUBECONFIG config set-credentials ${k_user} --client-certificate=${k_user}.crt --client-key=${k_user}.pem --embed-certs=true
# Add context for that user
kubectl --kubeconfig $KUBECONFIG config set-context ${k_user}-${cluster} --cluster=${cluster} --user=${k_user}
# Use the recently created context
kubectl --kubeconfig $KUBECONFIG config use-context ${k_user}-${cluster}
@abdennour
Copy link
Author

I thing this article is talking about the same topic.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment