Skip to content

Instantly share code, notes, and snippets.

@mikamboo

mikamboo/README.md

Forked from steimntz/create_user_for_namespace.sh
Last active April 10, 2024 08:33
Show Gist options
  • Save mikamboo/5e20ea4a0aef8289e40f62844dec7bc8 to your computer and use it in GitHub Desktop.
Save mikamboo/5e20ea4a0aef8289e40f62844dec7bc8 to your computer and use it in GitHub Desktop.
Download ZIP
Kubernetes : Create Service Account with permission for a specific namespace + Generate KUBECONFIG
Raw
README.md

Create KUBECONFIG limited to specific namespace

  • create_user_for_namespace.sh: Create $namespace-user ServiceAccount with full access to specified namespace and get KUBECONFIG
  • kubeconfig-generator.sh : Generate the KUBECONFIG of an existing sericeaccout + namespace

Ex : Create Gitlab-user on gitlab namespace

GIST_URL=https://gist.githubusercontent.com/mikamboo/5e20ea4a0aef8289e40f62844dec7bc8
curl $GIST_URL/raw/bb5ba7e3cc2b1e7be0006f7a2bc3d0f5d73958ec/create_user_for_namespace.sh | bash -s gitlab

Ex : Get KUBECONFIG for existing gitlab-admin SA on gitlab NS

GIST_URL=https://gist.githubusercontent.com/mikamboo/5e20ea4a0aef8289e40f62844dec7bc8
curl $GIST_URL/raw/784db06717505e609a5e387eff97d6917c5ff42b/kubeconfig-generator.sh | bash -s gitlab gitlab-admin

Encrypt kubeconfig file

ENCRYPT_KEY=SuperSecretKey
KUBECONFIG=/path/to/file/to/encrypt
openssl enc -aes-256-cbc -salt -md sha512 -pbkdf2 -a -e -k $ENCRYPT_KEY -in $KUBECONFIG -out $KUBECONFIG_ENC
openssl enc -aes-256-cbc -salt -md sha512 -pbkdf2 -a -d -k $ENCRYPT_KEY -in $KUBECONFIG_ENC -out $KUBECONFIG
Raw
create_user_for_namespace.sh
#!/bin/bash
#
# Script to create user with permission for a specific namespace.
# Script based on https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html
#
# In honor of the remarkable Windson
#/bin/bash
namespace=$1
if [[ -z "$namespace" ]]; then
echo "Use "$(basename "$0")" NAMESPACE";
exit 1;
fi
echo -e "
apiVersion: v1
kind: ServiceAccount
metadata:
name: $namespace-user
namespace: $namespace
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: $namespace-user-full-access
namespace: $namespace
rules:
- apiGroups: ['', 'extensions', 'apps']
resources: ['*']
verbs: ['*']
- apiGroups: ['batch']
resources:
- jobs
- cronjobs
verbs: ['*']
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: $namespace-user-full-access
namespace: $namespace
subjects:
- kind: ServiceAccount
name: $namespace-user
namespace: $namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: $namespace-user-full-access" | kubectl apply -f -
tokenName=$(kubectl get sa $namespace-user -n $namespace -o 'jsonpath={.secrets[0].name}')
token=$(kubectl get secret $tokenName -n $namespace -o "jsonpath={.data.token}" | base64 -d)
certificate=$(kubectl get secret $tokenName -n $namespace -o "jsonpath={.data['ca\.crt']}")
context_name="$(kubectl config current-context)"
cluster_name="$(kubectl config view -o "jsonpath={.contexts[?(@.name==\"${context_name}\")].context.cluster}")"
server_name="$(kubectl config view -o "jsonpath={.clusters[?(@.name==\"${cluster_name}\")].cluster.server}")"
kubeconfig=kubeconfig-${namespace}-user-$(date '+%F-%H%M%S')
echo -e "apiVersion: v1
kind: Config
preferences: {}
clusters:
- cluster:
certificate-authority-data: $certificate
server: $server_name
name: my-cluster
users:
- name: $namespace-user
user:
as-user-extra: {}
client-key-data: $certificate
token: $token
contexts:
- context:
cluster: my-cluster
namespace: $namespace
user: $namespace-user
name: $namespace
current-context: $namespace" > $kubeconfig
echo "$namespace-user's kubeconfig was created into `pwd`/$kubeconfig"
echo "If you want to test execute this command \`KUBECONFIG=`pwd`/$kubeconfig kubectl get po\`"
Raw
kubeconfig-generator.sh
#!/bin/sh
set -e
if [ $# -ne 2 ]; then
echo "ERROR : Invalid params !"
echo "Usage : kubeconfig-generator.sh NAMESPACE SERVICE_ACCOUNT_NAME"
exit 1
fi
namespace=$1
service_account=$2
tokenName=$(kubectl get sa $service_account -n $namespace -o 'jsonpath={.secrets[0].name}')
token=$(kubectl get secret $tokenName -n $namespace -o "jsonpath={.data.token}" | base64 -d)
certificate=$(kubectl get secret $tokenName -n $namespace -o "jsonpath={.data['ca\.crt']}")
context_name="$(kubectl config current-context)"
cluster_name="$(kubectl config view -o "jsonpath={.contexts[?(@.name==\"${context_name}\")].context.cluster}")"
server_name="$(kubectl config view -o "jsonpath={.clusters[?(@.name==\"${cluster_name}\")].cluster.server}")"
kubeconfig=kubeconfig-$service_account-$(date '+%F-%H%M%S')
echo "apiVersion: v1
kind: Config
preferences: {}
clusters:
- cluster:
certificate-authority-data: $certificate
server: $server_name
name: my-cluster
users:
- name: $service_account
user:
as-user-extra: {}
client-key-data: $certificate
token: $token
contexts:
- context:
cluster: my-cluster
namespace: $namespace
user: $service_account
name: $namespace
current-context: $namespace" > $kubeconfig
echo "$service_account's kubeconfig was created into `pwd`/$kubeconfig"
echo "If you want to test execute this command \`KUBECONFIG=`pwd`/$kubeconfig kubectl get po\`"
@mikamboo
Copy link
Author

mikamboo commented Apr 7, 2020

Single line exec

curl https://gist.githubusercontent.com/mikamboo/5e20ea4a0aef8289e40f62844dec7bc8/raw/ff399c038d6d5232a803bdba2cb72c99f9991746/kubeconfig-generator.sh | bash -s gitlab-admin kube-system

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment