openssl genrsa -out ./kops_ro.key 2048
export CLIENT_KEY_PATH=${PWD}/kops_ro.key
export CLIENT_CSR_PATH=${PWD}/kops_ro.csr
export NAME=kops-qa
openssl req -new \
-key $CLIENT_KEY_PATH \
-out $CLIENT_CSR_PATH \
-subj "/CN=$NAME/O=system:authenticated"
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: kops-qa-ro
spec:
groups:
- system:authenticated
#request: $(cat kops_ro.csr | base64 | tr -d '\n')
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2RqQ0NBVjRDQVFBd01URVFNQTRHQTFVRUF3d0hhMjl3Y3kxeFlURWRNQnNHQTFVRUNnd1VjM2x6ZEdWdApPbUYxZEdobGJuUnBZMkYwWldRd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURTCitFU1NMaVhDK0s4dXk3dXp0QWNlZ2wrSzRocXFMT2NvTUEzbzR1UmM2ZzJlUHhNcDc2VnlYcUxHNkNVZWtKR0MKeWtpbkxiUG9XM2lpWlc0OTdaZjR0UkJIR3RVU2wxQjRwcWdadjFJc0xiSnEwc1MwNURoeDlMUHFrTUl6eCtuMgpMa2xLd25jYUwvRFV1QmdJRjJpak1SNERLQVZqWGlUR1I3dnRuaFJneC9oNkRmR1dKNmVZdms1Zk5PLzYxNjA3CnJENTMrdzBrUTlmdUowbnRIbkFwYWVjalluUlJVeXluZm5wNnNTN3ZrUTJ1NGlQS0dqSEk0OS90UzljcWpiWk0KbUQ3eTlDYVdTVGNtNDBvdXRVOVpLN2tIRlJEMDI0YWdOejN2RzFkKzk0SSthaFdHRkk4NWIwNGc4djVPaFZySApTQnRnUlFFU0c5cjViQkdKVDM4OUFnTUJBQUdnQURBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQVBhSVJDUUUyCkY4cWxTNVZmeWZvM2J1dno0a3VuNlFPMGVyalRQTGl5N01BdUZ5cGhoM2p3YnNqOXp2eXh0aEIzM3RPVEpMcWwKS3g3YmUwZmNkVlcyQ2F4cDQxN2F0MDhCbExORllDQk1hM21mRUV2aWkxZnZiZTJlYkRjUHdxSWpyVFp0eDZMOAppT1pvVHM2Wm02ODN6UHh4eXZ6d1g4TGpLVGNsSmUwUTl3dCtIekhxZ3BKUzRlTHBQcldDY3NGcXNUVlRIeXJjCk41TlF5TW15QWpyM0pmdmI2OUxiRXJKYXRqdmJUTk9sUFNwTitUaUlFNkNjNG0xNE1XYlBNQW5jYWJjam5Cd1MKWUdYSkVPdTExeVR6QVhZT3plMWNTV1R2L1hhZHM4ZW9pWFhKT1BMMk9Xai9zSUNiYS9ZTUZYZjVxclNNSllWagpNb212eWpUV01WaEV0Zz09Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
usages:
- digital signature
- key encipherment
- client auth
Apply the CSR obbject
kubectl apply -f /home/dev/k8s-ro/csr_object.yaml
kubectl certificate approve kops-qa-ro
kubectl get csr kops-qa-ro -o jsonpath='{.status.certificate}' | base64 --decode > approved_kops_ro.crt
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: {{BASE64_ENCODED_CA - can be taken from admin's kubeconfig}}
server: {{API SERVER URL - can be taken from admin's kubeconfig}}
name: {{NAME OF CLUSTER - can be taken from admin's kubeconfig}}
contexts:
- context:
cluster: {{NAME OF CLUSTER - can be taken from admin's kubeconfig}}
namespace: default
user: {{USERNAME as created for CSR}}
name: default
current-context: default
kind: Config
preferences: {}
users:
- name: {{USERNAME as created for CSR}}
user:
as-user-extra: {}
client-certificate-data: {{BASE64_ENCODED_Approved_Cert}}
client-key-data: {{BASE64_ENCODED_Private_Key}}
Bind default clusterrole view to the user
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kops-read-only
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: kops-qa