Last active
June 15, 2019 13:58
-
-
Save abdennour/933ee9675965c25113031d1bd9639f0f to your computer and use it in GitHub Desktop.
Add New Kubernetes User with Role biding
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Usage: $0 myuser | |
k_user=${1} | |
#... | |
# 1. Step one: This new User generate a private key | |
openssl genrsa -out ${k_user}.pem 2048 | |
# ==> DO NOT SHARE THIS PRIVATE KEY with anyone as it acts like your password. | |
# 2. Step two: Generate the CSR ( certificate signing request ) : | |
openssl req -new -key ${k_user}.pem -out ${k_user}.csr -subj "/CN=${k_user}/O=app1/O=app2" | |
# 3. Deploy the CSR request , namely "certificates.k8s.io" API : | |
# encode CSR | |
ENCODED_CS=$(cat ${k_user}.csr | base64 | tr -d '\n'); | |
cat > ${k_user}-csr.yaml <<EOF | |
apiVersion: certificates.k8s.io/v1beta1 | |
kind: CertificateSigningRequest | |
metadata: | |
name: ${k_user} | |
spec: | |
groups: | |
- system:authenticated | |
request: ${ENCODED_CS} | |
usages: | |
- digital signature | |
- key encipherment | |
- client auth | |
EOF | |
# Send the request to the cluster | |
kubectl create -f ${k_user}-csr.yaml | |
# 4. Your cluster's administrator must approve this CSR request. | |
kubectl certificate approve ${k_user} | |
# 5. By Now the certificate should be signed. Your cluster's admin can download the new signed public key (crt) from the csr resource and deliver it to you. | |
kubectl get csr ${k_user} -o jsonpath='{.status.certificate}' | base64 -D > ${k_user}.crt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Usage: $0 myuser cluster_name | |
k_user=${1} | |
cluster=${2} # cluser name already defined in kubeconfig | |
# Add the new user to KUBECONFIG | |
kubectl --kubeconfig $KUBECONFIG config set-credentials ${k_user} --client-certificate=${k_user}.crt --client-key=${k_user}.pem --embed-certs=true | |
# Add context for that user | |
kubectl --kubeconfig $KUBECONFIG config set-context ${k_user}-${cluster} --cluster=${cluster} --user=${k_user} | |
# Use the recently created context | |
kubectl --kubeconfig $KUBECONFIG config use-context ${k_user}-${cluster} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I thing this article is talking about the same topic.