Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
RBAC Notes

kops cluster config

kubeAPIServer:
  authorizationMode: RBAC
  authorizationRbacSuperUser: admin
  oidcCAFile: /srv/kubernetes/ca.crt
  oidcClientID: example
  oidcGroupsClaim: groups
  oidcIssuerURL: https://dex.example.com
  oidcUsernameClaim: email
  runtimeConfig:
    rbac.authorization.k8s.io/v1alpha1: "true"
export BUCKET=example.com

mkdir -p ssl

# Load the CA from the KOPS bucket:
ca_cert_path=`aws s3 --region ${AWS_DEFAULT_REGION} ls --recursive ${BUCKET}/${CLUSTER_NAME}/pki/issued/ca/|awk '{ print $4 }'`
ca_key_path=`aws s3 --region ${AWS_DEFAULT_REGION} ls --recursive ${BUCKET}/${CLUSTER_NAME}/pki/private/ca/|awk '{ print $4 }'`

aws s3 cp s3://${BUCKET}/$ca_cert_path ssl/ca.pem
aws s3 cp s3://${BUCKET}/$ca_key_path ssl/ca-key.pem

cat << EOF > ssl/req.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name

[req_distinguished_name]

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = dex.example.com
EOF

openssl genrsa -out ssl/key.pem 2048
openssl req -new -key ssl/key.pem -out ssl/csr.pem -subj "/CN=dex.example.com" -config ssl/req.cnf
openssl x509 -req -in ssl/csr.pem -CA ssl/ca.pem -CAkey ssl/ca-key.pem -CAcreateserial -out ssl/cert.pem -days 1024 -extensions v3_req -extfile ssl/req.cnf

kubectl create secret tls dex.example.com.tls \
 --cert=apps/dex/ssl/cert.pem  \
 —key=apps/dex/ssl/key.pem

#edit the yaml from the below manifest
kubectl create - https://raw.githubusercontent.com/coreos/dex/master/examples/k8s/dex.yaml

# you need https://github.com/coreos/dex/tree/master/cmd/example-app to get your token from dex
# also once thats done, you still need to give all your components the correct clusterbindings
# https://github.com/kubernetes/kubernetes/tree/master/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata
# but for the rolebindings, the issue is that most of those service accounts dont exist
@liggitt
Copy link

liggitt commented Apr 22, 2017

Starting the controller manager with --use-service-accounts (in 1.6) provisions and uses the bound service accounts for controller loops

@StevenACoffman
Copy link

StevenACoffman commented Aug 14, 2017

Currently combining this gist and using k8s-oidc-helper to help get values for authenticating with google accounts. A few more bits to iron out, but thought I'd mention for others.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment