-
-
Save hustshawn/e6109c6ddb7ed845e7a1298c526588b6 to your computer and use it in GitHub Desktop.
create k8s user, certificate, permissions and client config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
CLUSTERNAME=cluster-name | |
CLUSTER_API=cluster-api | |
NAMESPACE=namespace | |
USERNAME=username | |
ORGANIZATION=organization | |
KEY_FILE=$USERNAME.key | |
CSR_FILE=$USERNAME.csr | |
CRT_FILE=$USERNAME.crt | |
CERTIFICATE_NAME=$USERNAME.$NAMESPACE | |
openssl genrsa -out $KEY_FILE 2048 | |
openssl req -new -key $KEY_FILE -out $CSR_FILE -subj "/CN=$USERNAME/O=$ORGANIZATION" | |
# To make it repeatable | |
kubectl get csr $CERTIFICATE_NAME && kubectl delete csr $CERTIFICATE_NAME | |
cat <<EOF | kubectl create -f - | |
apiVersion: certificates.k8s.io/v1beta1 | |
kind: CertificateSigningRequest | |
metadata: | |
name: $CERTIFICATE_NAME | |
spec: | |
groups: | |
- system:authenticated | |
request: $(cat $CSR_FILE | base64 | tr -d '\n') | |
usages: | |
- digital signature | |
- key encipherment | |
- client auth | |
- server auth | |
EOF | |
kubectl certificate approve $CERTIFICATE_NAME | |
# Retrieve the cert issued by k8s | |
echo "Exporting the certificate..." | |
kubectl get csr $CERTIFICATE_NAME -o jsonpath='{.status.certificate}' | base64 -D > $CRT_FILE | |
echo "Setting permissions for the user..." | |
cat <<EOF | kubectl apply -f - | |
kind: RoleBinding | |
apiVersion: rbac.authorization.k8s.io/v1 | |
metadata: | |
name: $USERNAME-binding | |
namespace: $NAMESPACE | |
roleRef: | |
kind: ClusterRole | |
name: edit | |
apiGroup: rbac.authorization.k8s.io | |
subjects: | |
- kind: User | |
name: $USERNAME | |
apiGroup: rbac.authorization.k8s.io | |
EOF | |
echo "Creating the user kube-config file..." | |
kubectl config set-cluster $CLUSTERNAME \ | |
--server=$CLUSTER_API \ | |
--insecure-skip-tls-verify=true \ | |
--kubeconfig="config"; | |
kubectl config set-credentials $USERNAME \ | |
--client-certificate=$(pwd)/$CRT_FILE \ | |
--client-key=$(pwd)/$KEY_FILE \ | |
--embed-certs \ | |
--kubeconfig="config"; | |
kubectl config set-context default \ | |
--cluster=$CLUSTERNAME \ | |
--namespace=$NAMESPACE \ | |
--user=$USERNAME \ | |
--kubeconfig="config"; | |
kubectl config use-context default \ | |
--kubeconfig="config"; | |
echo "Verifying the config is working..." | |
kubectl get all --kubeconfig=config |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I wonder, why I am getting this on my civo, eks clusters ??