Last active
January 6, 2020 18:45
-
-
Save manugarg/81d68bc17b455664bfacff541f29cea3 to your computer and use it in GitHub Desktop.
TLS certificate to authenticate to K8s API Server
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Generate private key for RDS | |
openssl genrsa -out rds.key 4096 | |
# Create certificate signing request config (config for CSR: [1]) | |
cat > /tmp/csr.cnf <<END | |
[ req ] | |
default_bits = 2048 | |
prompt = no | |
default_md = sha256 | |
distinguished_name = dn | |
[ dn ] | |
CN = rds # Coressponds to username in K8s | |
O = bbmc # Corresponds to group name in K8s | |
[ v3_ext ] | |
authorityKeyIdentifier=keyid,issuer:always | |
basicConstraints=CA:FALSE | |
keyUsage=keyEncipherment,dataEncipherment | |
extendedKeyUsage=serverAuth,clientAuth | |
END | |
openssl req -config /tmp/csr.cnf -new -key rds.key -nodes -out rds.csr | |
# Create certificate signing request for kubernetes | |
cat > csr.yaml <<EOF | |
apiVersion: certificates.k8s.io/v1beta1 | |
kind: CertificateSigningRequest | |
metadata: | |
name: rdscsr | |
spec: | |
groups: | |
- system:authenticated | |
request: ${BASE64_CSR} | |
usages: | |
- digital signature | |
- key encipherment | |
- server auth | |
- client auth | |
EOF | |
export BASE64_CSR=$(cat ./rds.csr | base64 | tr -d '\n') | |
cat csr.yaml | envsubst | kubectl apply -f - | |
# Approve the above request | |
kubectl certificate approve rdscsr | |
# Download certificate | |
kubectl get csr rdscsr -o jsonpath={.status.certificate} \ | |
| base64 --decode > rds.crt | |
# Now let's give access to the rds user. For that let's create a role that | |
# gives permissions to get and list the resources, and create a cluster role | |
# binding for it. | |
cat <<EOF | kubectl apply -f - | |
kind: ClusterRole | |
apiVersion: rbac.authorization.k8s.io/v1 | |
metadata: | |
annotations: | |
rbac.authorization.kubernetes.io/autoupdate: "true" | |
labels: | |
name: resource-reader | |
namespace: default | |
rules: | |
- apiGroups: [""] | |
resources: ["pods", "endpoints", "services"] | |
verbs: ["get", "list"] | |
--- | |
kind: ClusterRoleBinding | |
apiVersion: rbac.authorization.k8s.io/v1 | |
metadata: | |
name: rds-resource-reader | |
namespace: default | |
subjects: | |
- kind: User | |
name: rds | |
apiGroup: rbac.authorization.k8s.io | |
roleRef: | |
kind: ClusterRole | |
name: resource-reader | |
apiGroup: rbac.authorization.k8s.io | |
EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment