carolynvs/create-user-namespace.sh

## create-user-namespace.sh
#!/bin/bash
set -eo pipefail

# https://computingforgeeks.com/restrict-kubernetes-service-account-users-to-a-namespace-with-rbac/

if [[ "$1" == "" ]]; then
  echo "usage: create-user-namespace.sh USERNAME"
  exit 1
fi

NAMESPACE=$1
K8S_USER=$1

set -xu

# Create user and namespace
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Namespace
metadata:
  name: ${NAMESPACE}
EOF

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ${K8S_USER}
  namespace: ${NAMESPACE}
EOF

# Give user access to CRDs and RBAC
cat <<EOF | kubectl apply -f -
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ${K8S_USER}-cluster-dev
rules:
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - "*"
- apiGroups:
  - rbac.authorization.k8s.io
  - authorization.k8s.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - '*'
EOF

cat <<EOF | kubectl apply -f -
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: admin
  namespace: ${NAMESPACE}
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]
EOF

cat <<EOF | kubectl apply -f -
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ${K8S_USER}-admin
  namespace: ${NAMESPACE}
subjects:
- kind: ServiceAccount
  name: ${K8S_USER}
  namespace: ${NAMESPACE}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: admin
EOF

cat <<EOF | kubectl apply -f -
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ${K8S_USER}-cluster-dev
subjects:
- kind: ServiceAccount
  name: ${K8S_USER}
  namespace: ${NAMESPACE}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ${K8S_USER}-cluster-dev
EOF

K8S_NAME=`kubectl config view --minify -o=jsonpath='{.clusters[0].name}'`
K8S_ADDRESS=`kubectl config view --minify -o=jsonpath='{.clusters[0].cluster.server}'`
K8S_CERT=`kubectl config view --minify --raw=true -o=jsonpath='{.clusters[0].cluster.certificate-authority-data}'`
K8S_SECRET=`kubectl -n ${NAMESPACE} get secret | (grep ${K8S_USER}-token || echo "$_") | awk '{print $1}'`
K8S_TOKEN=`kubectl -n ${NAMESPACE} describe secret ${K8S_SECRET} | grep token: | awk '{print $2}'`

cat <<EOF > ${K8S_USER}-kube.config
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: ${K8S_CERT}
    server: ${K8S_ADDRESS}
  name: ${K8S_NAME}
contexts:
- context:
    cluster: ${K8S_NAME}
    namespace: ${NAMESPACE}
    user: ${K8S_USER}
  name: ${K8S_NAME}-${K8S_USER}
current-context: ${K8S_NAME}-${K8S_USER}
kind: Config
preferences: {}
users:
- name: ${K8S_USER}
  user:
    client-key-data: ${K8S_CERT}
    token: ${K8S_TOKEN}
EOF

echo "Run the following to run as the user:"
PWD=`pwd`
echo "export KUBECONFIG=${PWD}/${K8S_USER}-kube.config"
	#!/bin/bash
	set -eo pipefail

	# https://computingforgeeks.com/restrict-kubernetes-service-account-users-to-a-namespace-with-rbac/

	if [[ "$1" == "" ]]; then
	echo "usage: create-user-namespace.sh USERNAME"
	exit 1
	fi

	NAMESPACE=$1
	K8S_USER=$1

	set -xu

	# Create user and namespace
	cat <<EOF \| kubectl apply -f -
	apiVersion: v1
	kind: Namespace
	metadata:
	name: ${NAMESPACE}
	EOF

	cat <<EOF \| kubectl apply -f -
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: ${K8S_USER}
	namespace: ${NAMESPACE}
	EOF

	# Give user access to CRDs and RBAC
	cat <<EOF \| kubectl apply -f -
	kind: ClusterRole
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: ${K8S_USER}-cluster-dev
	rules:
	- apiGroups:
	- apiextensions.k8s.io
	resources:
	- customresourcedefinitions
	verbs:
	- "*"
	- apiGroups:
	- rbac.authorization.k8s.io
	- authorization.k8s.io
	resources:
	- '*'
	verbs:
	- '*'
	- apiGroups:
	- ""
	resources:
	- serviceaccounts
	verbs:
	- '*'
	EOF

	cat <<EOF \| kubectl apply -f -
	kind: Role
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: admin
	namespace: ${NAMESPACE}
	rules:
	- apiGroups: ["*"]
	resources: ["*"]
	verbs: ["*"]
	EOF

	cat <<EOF \| kubectl apply -f -
	kind: RoleBinding
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: ${K8S_USER}-admin
	namespace: ${NAMESPACE}
	subjects:
	- kind: ServiceAccount
	name: ${K8S_USER}
	namespace: ${NAMESPACE}
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: Role
	name: admin
	EOF

	cat <<EOF \| kubectl apply -f -
	kind: ClusterRoleBinding
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: ${K8S_USER}-cluster-dev
	subjects:
	- kind: ServiceAccount
	name: ${K8S_USER}
	namespace: ${NAMESPACE}
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: ${K8S_USER}-cluster-dev
	EOF

	K8S_NAME=`kubectl config view --minify -o=jsonpath='{.clusters[0].name}'`
	K8S_ADDRESS=`kubectl config view --minify -o=jsonpath='{.clusters[0].cluster.server}'`
	K8S_CERT=`kubectl config view --minify --raw=true -o=jsonpath='{.clusters[0].cluster.certificate-authority-data}'`
	K8S_SECRET=`kubectl -n ${NAMESPACE} get secret \| (grep ${K8S_USER}-token \|\| echo "$_") \| awk '{print $1}'`
	K8S_TOKEN=`kubectl -n ${NAMESPACE} describe secret ${K8S_SECRET} \| grep token: \| awk '{print $2}'`

	cat <<EOF > ${K8S_USER}-kube.config
	apiVersion: v1
	clusters:
	- cluster:
	certificate-authority-data: ${K8S_CERT}
	server: ${K8S_ADDRESS}
	name: ${K8S_NAME}
	contexts:
	- context:
	cluster: ${K8S_NAME}
	namespace: ${NAMESPACE}
	user: ${K8S_USER}
	name: ${K8S_NAME}-${K8S_USER}
	current-context: ${K8S_NAME}-${K8S_USER}
	kind: Config
	preferences: {}
	users:
	- name: ${K8S_USER}
	user:
	client-key-data: ${K8S_CERT}
	token: ${K8S_TOKEN}
	EOF

	echo "Run the following to run as the user:"
	PWD=`pwd`
	echo "export KUBECONFIG=${PWD}/${K8S_USER}-kube.config"