miclip/create_kubernetes_user_pks.md

## create_kubernetes_user_pks.md

      
    Raw
  

              create_kubernetes_user_pks.md
            
          
    Create Kubernetes User with PKS

Log into Cluster as PKS admin.
pks login -a https://api.pks.pivotal.io -u admin -p <PASSWORD> -k
pks get-credentials dev
Create namespace:
kubectl create namespace qwerty_ns
Generate private_key and csr:
openssl genrsa -out qwerty_user.key 2048
openssl req -new -key qwerty_user.key -out qwerty_user.csr -subj "/CN=qwerty/O=qwerty_ns"
Get kubernetes CA for the cluster to sign the certificate from bosh credhub
credhub get -n /p-bosh/<SERVICE_INSTANCE_DEPLOYMENT>/kubo_ca_2018
Sign the certificate using CA retrieved from Credhub above:
openssl x509 -req -in qwerty_user.csr -CA ca.crt -CAkey ./ca.key -CAcreateserial -out qwerty_user.crt -days 500
Set the credential and create the context.
kubectl config set-credentials qwerty --client-certificate=/Users/qwerty/qwerty_user.crt  --client-key=/Users/qwerty/qwerty_user.key
kubectl config set-context qwerty-context --cluster=dev --namespace=qwerty_ns --user=qwerty
Create a Role and RoleBinding with kubectl.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: qwerty_ns
  name: deployment-manager
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["deployments", "replicasets", "pods"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # You can also use ["*"]
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: deployment-manager-binding
  namespace: qwerty_ns
subjects:
- kind: User
  name: qwerty
  apiGroup: ""
roleRef:
  kind: Role
  name: deployment-manager
  apiGroup: ""
kubectl create -f ./Role.yml
kubectl create -f ./RoleBinding.yml
View pods:
kubectl --context=qwerty-context get pods
Troubleshooting

error: you must be logged in to the server (unauthorized)

Probably used the wrong CA to sign the certificate.