Skip to content

Instantly share code, notes, and snippets.

@hustshawn
Forked from henning/create-kube-user.sh
Last active December 4, 2020 12:19
Show Gist options
  • Save hustshawn/e6109c6ddb7ed845e7a1298c526588b6 to your computer and use it in GitHub Desktop.
Save hustshawn/e6109c6ddb7ed845e7a1298c526588b6 to your computer and use it in GitHub Desktop.
create k8s user, certificate, permissions and client config
#!/bin/bash
CLUSTERNAME=cluster-name
CLUSTER_API=cluster-api
NAMESPACE=namespace
USERNAME=username
ORGANIZATION=organization
KEY_FILE=$USERNAME.key
CSR_FILE=$USERNAME.csr
CRT_FILE=$USERNAME.crt
CERTIFICATE_NAME=$USERNAME.$NAMESPACE
openssl genrsa -out $KEY_FILE 2048
openssl req -new -key $KEY_FILE -out $CSR_FILE -subj "/CN=$USERNAME/O=$ORGANIZATION"
# To make it repeatable
kubectl get csr $CERTIFICATE_NAME && kubectl delete csr $CERTIFICATE_NAME
cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: $CERTIFICATE_NAME
spec:
groups:
- system:authenticated
request: $(cat $CSR_FILE | base64 | tr -d '\n')
usages:
- digital signature
- key encipherment
- client auth
- server auth
EOF
kubectl certificate approve $CERTIFICATE_NAME
# Retrieve the cert issued by k8s
echo "Exporting the certificate..."
kubectl get csr $CERTIFICATE_NAME -o jsonpath='{.status.certificate}' | base64 -D > $CRT_FILE
echo "Setting permissions for the user..."
cat <<EOF | kubectl apply -f -
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: $USERNAME-binding
namespace: $NAMESPACE
roleRef:
kind: ClusterRole
name: edit
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: User
name: $USERNAME
apiGroup: rbac.authorization.k8s.io
EOF
echo "Creating the user kube-config file..."
kubectl config set-cluster $CLUSTERNAME \
--server=$CLUSTER_API \
--insecure-skip-tls-verify=true \
--kubeconfig="config";
kubectl config set-credentials $USERNAME \
--client-certificate=$(pwd)/$CRT_FILE \
--client-key=$(pwd)/$KEY_FILE \
--embed-certs \
--kubeconfig="config";
kubectl config set-context default \
--cluster=$CLUSTERNAME \
--namespace=$NAMESPACE \
--user=$USERNAME \
--kubeconfig="config";
kubectl config use-context default \
--kubeconfig="config";
echo "Verifying the config is working..."
kubectl get all --kubeconfig=config
@thapakazi
Copy link

I wonder, why I am getting this on my civo, eks clusters ??

Context "default" modified.
Switched to context "default".
Verifying the config is working...
error: You must be logged in to the server (Unauthorized)
error: You must be logged in to the server (Unauthorized)
error: You must be logged in to the server (Unauthorized)
error: You must be logged in to the server (Unauthorized)
error: You must be logged in to the server (Unauthorized)
error: You must be logged in to the server (Unauthorized)
error: You must be logged in to the server (Unauthorized)
error: You must be logged in to the server (Unauthorized)
error: You must be logged in to the server (Unauthorized)
error: You must be logged in to the server (Unauthorized)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment