Skip to content

Instantly share code, notes, and snippets.

@tony612

tony612/gen-k8s-admin.sh

Last active September 16, 2021 03:51
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save tony612/2e29f3d7b137db724db97b817bcadce8 to your computer and use it in GitHub Desktop.
Save tony612/2e29f3d7b137db724db97b817bcadce8 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gen-k8s-admin.sh
export USERNAME=myadmin
export GROUPNAME=myadmin
export CERTIFICATE_NAME=myadmin
openssl genrsa -out ${USERNAME}.key 2048
openssl req -new -key ${USERNAME}.key -out ${USERNAME}.csr -subj "/CN=${USERNAME}/O=${GROUPNAME}"
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: $CERTIFICATE_NAME
spec:
groups:
- system:authenticated
request: $(cat ${USERNAME}.csr | base64 | tr -d '\n')
usages:
- digital signature
- key encipherment
- client auth
EOF
kubectl certificate approve $CERTIFICATE_NAME
kubectl get csr $CERTIFICATE_NAME -o jsonpath='{.status.certificate}' | base64 -d > ${USERNAME}.crt
cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: $USERNAME
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: $GROUPNAME
EOF
KUBECONFIG=config kubectl config set-credentials ${USERNAME} --client-certificate=${USERNAME}.crt --client-key=${USERNAME}.key --embed-certs=true
# verify
# kubectl --kubeconfig=config get pod
# cleanup
# kubectl delete CertificateSigningRequest ${USERNAME}
# kubectl delete ClusterRoleBinding ${USERNAME}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment