Created
June 23, 2020 10:05
-
-
Save lukaszbudnik/26480e8eb886c1013057f22cb4179e7f to your computer and use it in GitHub Desktop.
Shows how to setup RBAC on Minikube
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# minikube version | |
minikube version | |
minikube version: v1.11.0 | |
commit: 57e2f55f47effe9ce396cea42a1e0eb4f611ebbd | |
# Kubernetes version | |
kubectl version | |
Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.3", GitCommit:"2e7996e3e2712684bc73f0dec0200d64eec7fe40", GitTreeState:"clean", BuildDate:"2020-05-21T14:51:23Z", GoVersion:"go1.14.3", Compiler:"gc", Platform:"darwin/amd64"} | |
Server Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.3", GitCommit:"2e7996e3e2712684bc73f0dec0200d64eec7fe40", GitTreeState:"clean", BuildDate:"2020-05-20T12:43:34Z", GoVersion:"go1.13.9", Compiler:"gc", Platform:"linux/amd64"} | |
# start minikube | |
minikube start | |
# generate keys which will be used for authenticating to Kubernetes | |
openssl genrsa -out lukasz.key 2048 | |
openssl req -new -key lukasz.key -out lukasz.csr -subj "/CN=lukasz/O=kteam" | |
# use minikube cert to sign it | |
openssl x509 -req -in lukasz.csr -CA ~/.minikube/ca.crt -CAkey ~/.minikube/ca.key -CAcreateserial -out lukasz.crt -days 365 | |
# set credentials of lukasz user to user certs | |
kubectl config set-credentials lukasz --client-certificate=lukasz.crt --client-key=lukasz.key | |
# add lukasz-context for cluster minikube and user lukasz | |
kubectl config set-context lukasz-context --cluster=minikube --user=lukasz | |
cat <<EOF > role.yaml | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: Role | |
metadata: | |
namespace: default | |
name: pod-reader | |
rules: | |
- apiGroups: [""] | |
resources: ["pods"] | |
verbs: ["get", "watch", "list"] | |
EOF | |
kubectl apply -f role.yaml | |
cat <<EOF > role-binding.yaml | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: RoleBinding | |
metadata: | |
namespace: default | |
name: read-pods | |
subjects: | |
- kind: User | |
name: lukasz | |
apiGroup: rbac.authorization.k8s.io | |
roleRef: | |
kind: Role | |
name: pod-reader | |
apiGroup: rbac.authorization.k8s.io | |
EOF | |
kubectl apply -f role-binding.yaml | |
# as current minikube user | |
kubectl get services | |
# change to lukasz user | |
kubectl config use-context lukasz-context | |
# test getting pods from default namespace | |
kubectl get pods | |
# test getting pods from all namespaces | |
kubectl get pods -A | |
Error from server (Forbidden): pods is forbidden: User "lukasz" cannot list resource "pods" in API group "" at the cluster scope | |
# test getting services | |
kubectl get services -A | |
Error from server (Forbidden): services is forbidden: User "lukasz" cannot list resource "services" in API group "" at the cluster scope |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment