Skip to content

Instantly share code, notes, and snippets.

@avoidik
Forked from etiennetremel/create-user.sh
Last active May 23, 2021 12:01
Show Gist options
  • Save avoidik/5daa41913e4374363b041b59807bb431 to your computer and use it in GitHub Desktop.
Save avoidik/5daa41913e4374363b041b59807bb431 to your computer and use it in GitHub Desktop.
Create Kubernetes user using kubectl csr and cfssl
#!/bin/bash
#
# Create Kubernetes user. Require cfssl.
#
# Usage:
# ./create-user.sh <kubernetes api host> <fulle name> <clusterrole>
#
# Example:
# ./create-user.sh k8s-api.my-domain.com "Jane Doe" my-project:admin
set -e
if [ -z "$1" ]; then
echo "Api host is mandatory"
exit 1
fi
if [ -z "$2" ]; then
echo "Fullname is mandatory"
exit 1
fi
if [ -z "$3" ]; then
echo "Cluster role is mandatory"
exit 1
fi
api_host="$1"
fullname="$2"
cluster_role="$3"
username="$(echo ${fullname/ /.} | tr '[:upper:]' '[:lower:]')"
read -p "Create user ${fullname} (${username}) with cluster role ${cluster_role}? [Y/n]" -n 1 -r
echo
if [[ ! "$REPLY" =~ ^[Yy]$ ]]; then
echo "Canceled."
exit 1
fi
cat <<EOF | cfssl genkey - | cfssljson -bare client
{
"hosts": [
"${api_host}"
],
"CN": "${fullname}",
"key": {
"algo": "ecdsa",
"size": 256
}
}
EOF
cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: ${username}
spec:
groups:
- system:authenticated
request: $(cat client.csr | base64 | tr -d '\n')
usages:
- digital signature
- key encipherment
- client auth
username: ${fullname}
EOF
kubectl certificate approve "${username}"
kubectl get csr "${username}" -o jsonpath={.status.certificate} | base64 --decode > client.pem
kubectl create clusterrolebinding "${username}" --clusterrole=${cluster_role} --user="${fullname}"
echo "
-------------------------------------------------------------------------------
You can now share the instructions and the following files to the user:
* certificate authority - ca.pem
* client certificate - client.pem
* client key - client-key.pem
Find below the informations to get started with the development cluster.
1. download certificates
2. run the following command to authenticate
$ kubectl config set-cluster development --server=https://${api_host} --certificate-authority=ca.pem --embed-certs=true
$ kubectl config set-credentials development --client-certificate=client.pem --client-key=client-key.pem --embed-certs=true
$ kubectl config set-context dev --cluster=development --namespace=development --user=janedoe
$ kubectl config use-context dev
"
@avoidik
Copy link
Author

avoidik commented Feb 4, 2020

kubectl config set-cluster minikube --server=https://192.168.99.100:443 --certificate-authority=$HOME/.minikube/ca.crt
kubectl config set-context minikube --cluster=minikube --user=minikube
kubectl config set-credentials minikube --client-certificate=$HOME/.minikube/kubecfg.crt --client-key=$HOME/.minikube/kubecfg.key
kubectl config use-context minikube
cat <<'EOF' | kubectl apply -f -
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""] # the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: User
  name: user1
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
EOF
kubectl get roles
kubectl get rolebindings

openssl genrsa -out user1.key 2048
openssl req -new -key user1.key -out user1.csr -subj “/CN=user1/O=group1”
openssl x509 -req -in user1.csr -CA ~/.minikube/ca.crt -CAkey ~/.minikube/ca.key -CAcreateserial -out user1.crt -days 500
kubectl config set-credentials user1 --client-certificate=user1.crt --client-key=user1.key
kubectl config set-context user1-context --cluster=minikube --user=user1
kubectl config view
kubectl config use-context user1-context
kubectl config current-context

@avoidik
Copy link
Author

avoidik commented Feb 7, 2020

kubectl config set-context --current --namespace=blah

@avoidik
Copy link
Author

avoidik commented Feb 9, 2020

kubectl patch service blah -n blah --type='json' --patch='[{"op": "replace", "path": "/spec/ports/0/nodePort", "value":31111}]'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment