Skip to content

Instantly share code, notes, and snippets.

@steimntz
Last active February 13, 2024 14:24
Show Gist options
  • Save steimntz/abb9d705d495c95029a47b5388674be5 to your computer and use it in GitHub Desktop.
Save steimntz/abb9d705d495c95029a47b5388674be5 to your computer and use it in GitHub Desktop.
Script to create user with permission for a specific namespace.
#!/bin/bash
# In honor of the remarkable Windson
#/bin/bash
namespace=$1
if [[ -z "$namespace" ]]; then
echo "Use "$(basename "$0")" NAMESPACE";
exit 1;
fi
echo -e "
apiVersion: v1
kind: ServiceAccount
metadata:
name: $namespace-user
namespace: $namespace
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: $namespace-user-full-access
namespace: $namespace
rules:
- apiGroups: ['', 'extensions', 'apps']
resources: ['*']
verbs: ['*']
- apiGroups: ['batch']
resources:
- jobs
- cronjobs
verbs: ['*']
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: $namespace-user-view
namespace: $namespace
subjects:
- kind: ServiceAccount
name: $namespace-user
namespace: $namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: $namespace-user-full-access" | kubectl apply -f -
tokenName=$(kubectl get sa $namespace-user -n $namespace -o 'jsonpath={.secrets[0].name}')
token=$(kubectl get secret $tokenName -n $namespace -o "jsonpath={.data.token}" | base64 -d)
certificate=$(kubectl get secret $tokenName -n $namespace -o "jsonpath={.data['ca\.crt']}")
context_name="$(kubectl config current-context)"
cluster_name="$(kubectl config view -o "jsonpath={.contexts[?(@.name==\"${context_name}\")].context.cluster}")"
server_name="$(kubectl config view -o "jsonpath={.clusters[?(@.name==\"${cluster_name}\")].cluster.server}")"
echo -e "apiVersion: v1
kind: Config
preferences: {}
clusters:
- cluster:
certificate-authority-data: $certificate
server: $server_name
name: my-cluster
users:
- name: $namespace-user
user:
as-user-extra: {}
client-key-data: $certificate
token: $token
contexts:
- context:
cluster: my-cluster
namespace: $namespace
user: $namespace-user
name: $namespace
current-context: $namespace" > kubeconfig
echo "$namespace-user's kubeconfig was created into `pwd`/kubeconfig"
echo "If you want to test execute this command \`KUBECONFIG=`pwd`/kubeconfig kubectl get po\`"
@AndrewBedscastle
Copy link

AndrewBedscastle commented Feb 12, 2024

h t t p s jeremievallee dot com/2018/05/28/kubernetes-rbac-namespace-user.html
leads to a malicious website. Please remove

(Script untested thus far, just wanted to let you know about the site; Anyway: Thank you very much!)

@steimntz
Copy link
Author

h t t p s jeremievallee dot com/2018/05/28/kubernetes-rbac-namespace-user.html leads to a malicious website. Please remove

(Script untested thus far, just wanted to let you know about the site; Anyway: Thank you very much!)

I have just removed it.

Thank you for notifying me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment