Last active
March 18, 2020 08:59
-
-
Save monester/5f09b1943a3942f1357ceab8db7c7a68 to your computer and use it in GitHub Desktop.
Rancher recover access to kubernetes cluster from master nodes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
import os | |
import sys | |
import json | |
import base64 | |
import tempfile | |
from subprocess import check_output, DEVNULL, run | |
ca_config = { | |
"signing": { | |
"default": { | |
"expiry": "8760h" | |
}, | |
"profiles": { | |
"kubernetes": { | |
"usages": ["signing", "key encipherment", "server auth", "client auth"], | |
"expiry": "8760h" | |
} | |
} | |
} | |
} | |
admin_csr = { | |
"CN": "admin", | |
"key": { | |
"algo": "rsa", | |
"size": 2048 | |
}, | |
"names": [ | |
{ | |
"C": "US", | |
"L": "Portland", | |
"O": "system:masters", | |
"OU": "Kubernetes The Hard Way", | |
"ST": "Oregon" | |
} | |
] | |
} | |
def get_tools(): | |
release = check_output('curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt', shell=True).decode('utf8').strip() | |
print(f'curl -L https://storage.googleapis.com/kubernetes-release/release/{release}/bin/linux/amd64/kubectl -o /usr/local/bin/kubectl') | |
run(f'curl -L https://storage.googleapis.com/kubernetes-release/release/{release}/bin/linux/amd64/kubectl -o /usr/local/bin/kubectl', shell=True) | |
run('chmod +x /usr/local/bin/kubectl', shell=True) | |
run('curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl', shell=True) | |
run('chmod +x /usr/local/bin/cfssl', shell=True) | |
run('curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson', shell=True) | |
run('chmod +x /usr/local/bin/cfssljson', shell=True) | |
def create(path, server): | |
# create admin certificate | |
if not os.path.exists('/usr/local/bin/kubectl'): | |
get_tools() | |
if not os.path.exists('admin.pem'): | |
json.dump(ca_config, open('ca-config.json', 'w')) | |
json.dump(admin_csr, open('admin-csr.json', 'w')) | |
run(f'cfssl gencert -ca {path}/kube-ca.pem -ca-key {path}/kube-ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin', shell=True) | |
name = 'local-admin' | |
check_output(f'kubectl config set-cluster {name} --server https://{server}:6443 --embed-certs --certificate-authority={path}/kube-ca.pem', shell=True, stderr=DEVNULL) | |
check_output(f'kubectl config set-credentials {name} --embed-certs --client-certificate admin.pem --client-key admin-key.pem', shell=True, stderr=DEVNULL) | |
check_output(f'kubectl config set-context {name} --user {name} --cluster {name}', shell=True) | |
check_output(f'kubectl config use-context {name}', shell=True) | |
print(f'Test:\nkubectl get pods\nkubectl auth can-i \'*\' \'*\' --all-namespaces\n') | |
run('kubectl auth can-i \'*\' \'*\' --all-namespaces', shell=True) | |
if __name__ == '__main__': | |
if '--help' in sys.argv or '-h' in sys.argv: | |
print('Usage: %s [/etc/kubernetes/ssl] [127.0.0.1]' % sys.argv[0]) | |
exit(0) | |
path = sys.argv[1] if len(sys.argv) > 1 else '/etc/kubernetes/ssl' | |
server = sys.argv[2] if len(sys.argv) > 2 else '127.0.0.1' | |
create(path, server) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment