Created
October 19, 2023 16:02
-
-
Save chadmcrowell/ba68f08916257e6d81138885da6141e0 to your computer and use it in GitHub Desktop.
Dallas Kubernetes Workshop - Create New User
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # perform the commands from the following lab environment: | |
| # https://studyk8s.club/cka-new-user | |
| # view the config | |
| k config-view | |
| cat ~/.kube/config | |
| echo $KUBECONFIG | |
| cat /etc/kubernetes/admin.conf | |
| # list the cluster users | |
| # optional: k config -h | |
| k config get-users | |
| # get your current context | |
| k config current-context | |
| # create new namespace | |
| k create ns web | |
| # create a new role that allows list and get verbs on pods | |
| k -n web create role pod-reader --verb=get,list --resource=pods | |
| # create a new role binding that will bind the role 'pod-reader' to a new user named 'carlton' | |
| k -n web create rolebinding pod-reader-binding --role=pod-reader --user=carlton | |
| # create a pod in the web namespace | |
| k -n web run pod1 --image=nginx | |
| # using openssl generate a new private key for new user 'carlton' | |
| openssl genrsa -out carlton.key 2048 | |
| # using openssl, create a new certificate signing request with 'carlton' in the common name | |
| openssl req -new -key carlton.key -subj "/CN=carlton" -out carlton.csr | |
| # base64 encode the csr and store it in an environment variable | |
| export REQUEST=$(cat carlton.csr | base64 -w 0) | |
| # submit the request to Kubernetes CA to authenticate to the cluster | |
| cat <<EOF | kubectl apply -f - | |
| apiVersion: certificates.k8s.io/v1 | |
| kind: CertificateSigningRequest | |
| metadata: | |
| name: carlton | |
| spec: | |
| groups: | |
| - system:authenticated | |
| request: $REQUEST | |
| signerName: kubernetes.io/kube-apiserver-client | |
| usages: | |
| - client auth | |
| EOF | |
| # get the csr | |
| k get csr | |
| # approve the Kubernets CSR resource | |
| k certificate approve carlton | |
| # get the csr again, to see it's been approved | |
| k get csr | |
| # extract the certificate from the csr resource | |
| k get csr carlton -o jsonpath='{.status.certificate}' | base64 -d > carlton.crt | |
| # set the credentials, and add the user to your current config | |
| k config set-credentials carlton --client-key=carlton.key --client-certificate=carlton.crt --embed-certs | |
| # view the config | |
| k config view | |
| # set your context as user 'carlton' | |
| k config set-context carlton --user=carlton --cluster=kubernetes | |
| # use context and assume user | |
| k config use-context carlton | |
| # verify if carlton can view and list pods | |
| k -n web get po | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment