Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
RBAC Notes

kops cluster config

  authorizationMode: RBAC
  authorizationRbacSuperUser: admin
  oidcCAFile: /srv/kubernetes/ca.crt
  oidcClientID: example
  oidcGroupsClaim: groups
  oidcUsernameClaim: email
  runtimeConfig: "true"

mkdir -p ssl

# Load the CA from the KOPS bucket:
ca_cert_path=`aws s3 --region ${AWS_DEFAULT_REGION} ls --recursive ${BUCKET}/${CLUSTER_NAME}/pki/issued/ca/|awk '{ print $4 }'`
ca_key_path=`aws s3 --region ${AWS_DEFAULT_REGION} ls --recursive ${BUCKET}/${CLUSTER_NAME}/pki/private/ca/|awk '{ print $4 }'`

aws s3 cp s3://${BUCKET}/$ca_cert_path ssl/ca.pem
aws s3 cp s3://${BUCKET}/$ca_key_path ssl/ca-key.pem

cat << EOF > ssl/req.cnf
req_extensions = v3_req
distinguished_name = req_distinguished_name


[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

DNS.1 =

openssl genrsa -out ssl/key.pem 2048
openssl req -new -key ssl/key.pem -out ssl/csr.pem -subj "/" -config ssl/req.cnf
openssl x509 -req -in ssl/csr.pem -CA ssl/ca.pem -CAkey ssl/ca-key.pem -CAcreateserial -out ssl/cert.pem -days 1024 -extensions v3_req -extfile ssl/req.cnf

kubectl create secret tls \
 --cert=apps/dex/ssl/cert.pem  \

#edit the yaml from the below manifest
kubectl create -

# you need to get your token from dex
# also once thats done, you still need to give all your components the correct clusterbindings
# but for the rolebindings, the issue is that most of those service accounts dont exist
Copy link

liggitt commented Apr 22, 2017

Starting the controller manager with --use-service-accounts (in 1.6) provisions and uses the bound service accounts for controller loops

Copy link

StevenACoffman commented Aug 14, 2017

Currently combining this gist and using k8s-oidc-helper to help get values for authenticating with google accounts. A few more bits to iron out, but thought I'd mention for others.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment