Log into Cluster as PKS admin.
pks login -a https://api.pks.pivotal.io -u admin -p <PASSWORD> -k
pks get-credentials dev
Create namespace:
kubectl create namespace qwerty_ns
Generate private_key
and csr
:
openssl genrsa -out qwerty_user.key 2048
openssl req -new -key qwerty_user.key -out qwerty_user.csr -subj "/CN=qwerty/O=qwerty_ns"
Get kubernetes CA for the cluster to sign the certificate from bosh
credhub
credhub get -n /p-bosh/<SERVICE_INSTANCE_DEPLOYMENT>/kubo_ca_2018
Sign the certificate using CA retrieved from Credhub
above:
openssl x509 -req -in qwerty_user.csr -CA ca.crt -CAkey ./ca.key -CAcreateserial -out qwerty_user.crt -days 500
Set the credential and create the context.
kubectl config set-credentials qwerty --client-certificate=/Users/qwerty/qwerty_user.crt --client-key=/Users/qwerty/qwerty_user.key
kubectl config set-context qwerty-context --cluster=dev --namespace=qwerty_ns --user=qwerty
Create a Role
and RoleBinding
with kubectl
.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: qwerty_ns
name: deployment-manager
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # You can also use ["*"]
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: deployment-manager-binding
namespace: qwerty_ns
subjects:
- kind: User
name: qwerty
apiGroup: ""
roleRef:
kind: Role
name: deployment-manager
apiGroup: ""
kubectl create -f ./Role.yml
kubectl create -f ./RoleBinding.yml
View pods:
kubectl --context=qwerty-context get pods
Probably used the wrong CA to sign the certificate.