Create Kubernetes user using kubectl csr and cfssl

create-user.sh

#!/bin/bash
#
# Create Kubernetes user. Require cfssl.
#
# Usage:
#   ./create-user.sh <kubernetes api host> <fulle name> <clusterrole>
#
# Example:
#   ./create-user.sh k8s-api.my-domain.com "Jane Doe" my-project:admin

set -e

if [ -z "$1" ]; then
  echo "Api host is mandatory"
  exit 1
fi

if [ -z "$2" ]; then
  echo "Fullname is mandatory"
  exit 1
fi

if [ -z "$3" ]; then
  echo "Cluster role is mandatory"
  exit 1
fi

api_host="$1"
fullname="$2"
cluster_role="$3"

username="$(echo ${fullname/ /.} | tr '[:upper:]' '[:lower:]')"

read -p "Create user ${fullname} (${username}) with cluster role ${cluster_role}? [Y/n]" -n 1 -r
echo

if [[ ! "$REPLY" =~ ^[Yy]$ ]]; then
  echo "Canceled."
  exit 1
fi

cat <<EOF | cfssl genkey - | cfssljson -bare client
{
  "hosts": [
    "${api_host}"
  ],
  "CN": "${fullname}",
  "key": {
    "algo": "ecdsa",
    "size": 256
  }
}
EOF

cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: ${username}
spec:
  groups:
  - system:authenticated
  request: $(cat client.csr | base64 | tr -d '\n')
  usages:
  - digital signature
  - key encipherment
  - client auth
  username: ${fullname}
EOF

kubectl certificate approve "${username}"

kubectl get csr "${username}" -o jsonpath={.status.certificate} | base64 --decode > client.pem
kubectl create clusterrolebinding "${username}" --clusterrole=${cluster_role} --user="${fullname}"

echo "
-------------------------------------------------------------------------------

You can now share the instructions and the following files to the user:

* certificate authority - ca.pem
* client certificate - client.pem
* client key - client-key.pem

Find below the informations to get started with the development cluster.

1. download certificates
2. run the following command to authenticate

  $ kubectl config set-cluster development --server=https://${api_host} --certificate-authority=ca.pem --embed-certs=true
  $ kubectl config set-credentials development --client-certificate=client.pem --client-key=client-key.pem --embed-certs=true
  $ kubectl config set-context dev --cluster=development --namespace=development --user=janedoe
  $ kubectl config use-context dev
"

kubectl config set-cluster minikube --server=https://192.168.99.100:443 --certificate-authority=$HOME/.minikube/ca.crt
kubectl config set-context minikube --cluster=minikube --user=minikube
kubectl config set-credentials minikube --client-certificate=$HOME/.minikube/kubecfg.crt --client-key=$HOME/.minikube/kubecfg.key
kubectl config use-context minikube

cat <<'EOF' | kubectl apply -f -
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""] # the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: User
  name: user1
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
EOF
kubectl get roles
kubectl get rolebindings

openssl genrsa -out user1.key 2048
openssl req -new -key user1.key -out user1.csr -subj “/CN=user1/O=group1”
openssl x509 -req -in user1.csr -CA ~/.minikube/ca.crt -CAkey ~/.minikube/ca.key -CAcreateserial -out user1.crt -days 500
kubectl config set-credentials user1 --client-certificate=user1.crt --client-key=user1.key
kubectl config set-context user1-context --cluster=minikube --user=user1
kubectl config view
kubectl config use-context user1-context
kubectl config current-context

https://github.com/cloudflare/cfssl/wiki/Creating-a-new-CSR
https://scriptcrunch.com/create-ca-tls-ssl-certificates-keys/

kubectl config set-context --current --namespace=blah

kubectl patch service blah -n blah --type='json' --patch='[{"op": "replace", "path": "/spec/ports/0/nodePort", "value":31111}]'

https://lingxiankong.github.io/2018-09-18-kubelet-bootstrap-process.html