Skip to content

Instantly share code, notes, and snippets.

@harshal-shah

harshal-shah/k8s_read_only_user.md

Last active May 25, 2018 05:12
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save harshal-shah/c69cf2636ffbe2e2aca8b18a69a144f4 to your computer and use it in GitHub Desktop.
Save harshal-shah/c69cf2636ffbe2e2aca8b18a69a144f4 to your computer and use it in GitHub Desktop.
Download ZIP
ReadOnly user for k8s 1.8 and over
Raw
k8s_read_only_user.md

Steps for RO user

Generate RSA key

openssl genrsa -out ./kops_ro.key 2048

export CLIENT_KEY_PATH=${PWD}/kops_ro.key
export CLIENT_CSR_PATH=${PWD}/kops_ro.csr
export NAME=kops-qa

Generate CSR

openssl req -new \
  -key $CLIENT_KEY_PATH \
  -out $CLIENT_CSR_PATH \
  -subj "/CN=$NAME/O=system:authenticated"

submit CSR object

apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: kops-qa-ro
spec:
  groups:
  - system:authenticated
  #request: $(cat kops_ro.csr | base64 | tr -d '\n')
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2RqQ0NBVjRDQVFBd01URVFNQTRHQTFVRUF3d0hhMjl3Y3kxeFlURWRNQnNHQTFVRUNnd1VjM2x6ZEdWdApPbUYxZEdobGJuUnBZMkYwWldRd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURTCitFU1NMaVhDK0s4dXk3dXp0QWNlZ2wrSzRocXFMT2NvTUEzbzR1UmM2ZzJlUHhNcDc2VnlYcUxHNkNVZWtKR0MKeWtpbkxiUG9XM2lpWlc0OTdaZjR0UkJIR3RVU2wxQjRwcWdadjFJc0xiSnEwc1MwNURoeDlMUHFrTUl6eCtuMgpMa2xLd25jYUwvRFV1QmdJRjJpak1SNERLQVZqWGlUR1I3dnRuaFJneC9oNkRmR1dKNmVZdms1Zk5PLzYxNjA3CnJENTMrdzBrUTlmdUowbnRIbkFwYWVjalluUlJVeXluZm5wNnNTN3ZrUTJ1NGlQS0dqSEk0OS90UzljcWpiWk0KbUQ3eTlDYVdTVGNtNDBvdXRVOVpLN2tIRlJEMDI0YWdOejN2RzFkKzk0SSthaFdHRkk4NWIwNGc4djVPaFZySApTQnRnUlFFU0c5cjViQkdKVDM4OUFnTUJBQUdnQURBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQVBhSVJDUUUyCkY4cWxTNVZmeWZvM2J1dno0a3VuNlFPMGVyalRQTGl5N01BdUZ5cGhoM2p3YnNqOXp2eXh0aEIzM3RPVEpMcWwKS3g3YmUwZmNkVlcyQ2F4cDQxN2F0MDhCbExORllDQk1hM21mRUV2aWkxZnZiZTJlYkRjUHdxSWpyVFp0eDZMOAppT1pvVHM2Wm02ODN6UHh4eXZ6d1g4TGpLVGNsSmUwUTl3dCtIekhxZ3BKUzRlTHBQcldDY3NGcXNUVlRIeXJjCk41TlF5TW15QWpyM0pmdmI2OUxiRXJKYXRqdmJUTk9sUFNwTitUaUlFNkNjNG0xNE1XYlBNQW5jYWJjam5Cd1MKWUdYSkVPdTExeVR6QVhZT3plMWNTV1R2L1hhZHM4ZW9pWFhKT1BMMk9Xai9zSUNiYS9ZTUZYZjVxclNNSllWagpNb212eWpUV01WaEV0Zz09Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
  usages:
  - digital signature
  - key encipherment
  - client auth

Apply the CSR obbject kubectl apply -f /home/dev/k8s-ro/csr_object.yaml

Approve CSR

kubectl certificate approve kops-qa-ro

Get approved client certificate

kubectl get csr kops-qa-ro -o jsonpath='{.status.certificate}' | base64 --decode > approved_kops_ro.crt

Generate kubeconfig with new cert and private key

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: {{BASE64_ENCODED_CA - can be taken from admin's kubeconfig}}
    server: {{API SERVER URL - can be taken from admin's kubeconfig}}
  name: {{NAME OF CLUSTER - can be taken from admin's kubeconfig}}
contexts:
- context:
    cluster: {{NAME OF CLUSTER - can be taken from admin's kubeconfig}}
    namespace: default
    user: {{USERNAME as created for CSR}}
  name: default
current-context: default
kind: Config
preferences: {}
users:
- name: {{USERNAME as created for CSR}}
  user:
    as-user-extra: {}
    client-certificate-data: {{BASE64_ENCODED_Approved_Cert}}
    client-key-data: {{BASE64_ENCODED_Private_Key}}

Give read only privileges to the user

Bind default clusterrole view to the user

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kops-read-only
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: kops-qa
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment