100daysofdevops · January 27, 2024 02:32
diff --git a/access_to_kubernetes_space.txt b/access_to_kubernetes_space.txt
 1. Create a Namespace
 # Create a namespace named 'devops'
 kubectl create ns devops

 2. Create a Private Key for the User
 # Generate a 2048-bit RSA private key for the user
 openssl genrsa -out prashant.key 2048

 3. Create a Certificate Signing Request (CSR) for the User

 # Create a CSR with the specified subject
 openssl req -new -key prashant.key -out prashant.csr -subj "/CN=prashant/O=devops"

 4. Kubernetes Admin Signs the CSR
 The next step involves the Kubernetes administrator. The user sends the prashant.csr file securely to the admin, who then signs it using the Kubernetes certificate authority's (CA) private key and certificate.
 openssl x509 -req -in prashant.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out prashant.crt -days 365

 5. Admin Creates a Kubeconfig File for the User

 # Set the cluster details in the kubeconfig file
 kubectl --kubeconfig prashant.kubeconfig config set-cluster kubernetes --server https://<controlplane server>:6443 --certificate-authority=ca.crt
 Note: The ca.crt file is directly passed here. Alternatively, you can use the following command to change the variable name to certificate-authority-data:
 cat ca.crt | base64 -w0

 6. Adding the User to Kubeconfig

 # Add user credentials to the kubeconfig
 kubectl --kubeconfig prashant.kubeconfig config set-credentials prashant --client-certificate /root/prashant.crt --client-key /root/prashant.key 

 7. Set and Use the Context
 # Define and use the new context
 kubectl --kubeconfig prashant.kubeconfig config set-context prashant-kubernetes --cluster kubernetes --namespace devops --user prashant
 kubectl --kubeconfig prashant.kubeconfig config use-context prashant-kubernetes
 Note: To check your Kubernetes server configuration, use the kubectl config view command. You can also modify an existing kubeconfig file based on your requirements instead of creating a new one.

 8. Permissions for the User
 Initially, when user prashant tries to execute commands, they will fail due to lack of defined roles/rolebindings:
 kubectl --kubeconfig prashant.kubeconfig get pods
 Error: pods is forbidden...

 9. Define Role and RoleBinding for User Access
 # Create a role with specific resource permissions in the 'devops' namespace
 kubectl create role prashant-devops --verb=get,list --resource=pods --namespace=devops

 # Associate the user with the role through a rolebinding
 kubectl create rolebinding prashant-devops-rolebinding --role prashant-devops --user=prashant --namespace=devops
 Now, user prashant can list pods in the 'devops' namespace but not in others:

 kubectl --kubeconfig prashant.kubeconfig get pods -n devops
 # Output: Details of pods in the 'devops' namespace

 kubectl --kubeconfig prashant.kubeconfig get pods -n default
 # Error: Forbidden...

 10. Scalable Solution: Group-Based Role Assignments
 As a more scalable solution, assign permissions to groups instead of individual users. Recall that the CSR included an Organization (O) set as 'devops':

 kubectl create rolebinding prashant-devops-rolebinding --role prashant-devops --group=devops --namespace=devops
 This way, any user part of the 'devops' group inherits the permissions.

 11. Alternative: Using Kubernetes Built-in Certificates API
 Another method involves the Kubernetes admin using the built-in Certificates API for handling CSR requests. Instead of manually signing CSRs, the admin can create and approve CSRs through Kubernetes:

 # Example Certificate Signing Request creation
 cat <<EOF | kubectl apply -f -
 apiVersion: certificates.k8s.io/v1
 kind: CertificateSigningRequest
 ...
 EOF

 # To view and approve the request
 kubectl get csr
 kubectl certificate approve prashant
 Note: Controller manager handles certificate operations, with specific controllers for CSR approving and signing tasks.
	1. Create a Namespace
	# Create a namespace named 'devops'
	kubectl create ns devops

	2. Create a Private Key for the User
	# Generate a 2048-bit RSA private key for the user
	openssl genrsa -out prashant.key 2048

	3. Create a Certificate Signing Request (CSR) for the User

	# Create a CSR with the specified subject
	openssl req -new -key prashant.key -out prashant.csr -subj "/CN=prashant/O=devops"

	4. Kubernetes Admin Signs the CSR
	The next step involves the Kubernetes administrator. The user sends the prashant.csr file securely to the admin, who then signs it using the Kubernetes certificate authority's (CA) private key and certificate.
	openssl x509 -req -in prashant.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out prashant.crt -days 365

	5. Admin Creates a Kubeconfig File for the User

	# Set the cluster details in the kubeconfig file
	kubectl --kubeconfig prashant.kubeconfig config set-cluster kubernetes --server https://<controlplane server>:6443 --certificate-authority=ca.crt
	Note: The ca.crt file is directly passed here. Alternatively, you can use the following command to change the variable name to certificate-authority-data:
	cat ca.crt \| base64 -w0

	6. Adding the User to Kubeconfig

	# Add user credentials to the kubeconfig
	kubectl --kubeconfig prashant.kubeconfig config set-credentials prashant --client-certificate /root/prashant.crt --client-key /root/prashant.key

	7. Set and Use the Context
	# Define and use the new context
	kubectl --kubeconfig prashant.kubeconfig config set-context prashant-kubernetes --cluster kubernetes --namespace devops --user prashant
	kubectl --kubeconfig prashant.kubeconfig config use-context prashant-kubernetes
	Note: To check your Kubernetes server configuration, use the kubectl config view command. You can also modify an existing kubeconfig file based on your requirements instead of creating a new one.

	8. Permissions for the User
	Initially, when user prashant tries to execute commands, they will fail due to lack of defined roles/rolebindings:
	kubectl --kubeconfig prashant.kubeconfig get pods
	Error: pods is forbidden...

	9. Define Role and RoleBinding for User Access
	# Create a role with specific resource permissions in the 'devops' namespace
	kubectl create role prashant-devops --verb=get,list --resource=pods --namespace=devops

	# Associate the user with the role through a rolebinding
	kubectl create rolebinding prashant-devops-rolebinding --role prashant-devops --user=prashant --namespace=devops
	Now, user prashant can list pods in the 'devops' namespace but not in others:

	kubectl --kubeconfig prashant.kubeconfig get pods -n devops
	# Output: Details of pods in the 'devops' namespace

	kubectl --kubeconfig prashant.kubeconfig get pods -n default
	# Error: Forbidden...

	10. Scalable Solution: Group-Based Role Assignments
	As a more scalable solution, assign permissions to groups instead of individual users. Recall that the CSR included an Organization (O) set as 'devops':

	kubectl create rolebinding prashant-devops-rolebinding --role prashant-devops --group=devops --namespace=devops
	This way, any user part of the 'devops' group inherits the permissions.

	11. Alternative: Using Kubernetes Built-in Certificates API
	Another method involves the Kubernetes admin using the built-in Certificates API for handling CSR requests. Instead of manually signing CSRs, the admin can create and approve CSRs through Kubernetes:

	# Example Certificate Signing Request creation
	cat <<EOF \| kubectl apply -f -
	apiVersion: certificates.k8s.io/v1
	kind: CertificateSigningRequest
	...
	EOF

	# To view and approve the request
	kubectl get csr
	kubectl certificate approve prashant
	Note: Controller manager handles certificate operations, with specific controllers for CSR approving and signing tasks.