Skip to content

Instantly share code, notes, and snippets.

@danielpassos

danielpassos/tgik-004.md

Last active April 15, 2019 22:03
Show Gist options
  • Save danielpassos/1b1b33dd51a1a7a3ad2a7c4c5a3842ec to your computer and use it in GitHub Desktop.
Save danielpassos/1b1b33dd51a1a7a3ad2a7c4c5a3842ec to your computer and use it in GitHub Desktop.
Download ZIP
[TGI Kubernetes 004: RBAC] Step by step used by @jbeda on @TGIK 004 (RBAC) #tgik #document #kubernetes
Raw
tgik-004.md

TGI Kubernetes 004: RBAC

This is the step by step used by Joe Beda on TGI Kubernetes 004: RBAC

References:

Authentication

  1. Generate the private key:

    openssl genrsa -out passos.pem 2048

  2. Generate the certificate signing request

    openssl req -new -key passos.pem -out passos.csr -subj "/CN=passos/O=cool-people"

  3. Create a Kubernetes CertificateSigningRequest file

    csr_req.yaml

    apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: user-request-passos
spec:
  groups:
  - system:authenticated
  request: fill with csr base64 content
  usages:
  - digital signature
  - key encipherment
  - client auth

  4. Fill the request on csr_req.yaml with the content of you .csr file in base64

    manually

    cat passos.csr | base64 | tr -d '\n' | pbcopy

    or

    automaticlly

    yq w -i csr_req.yaml spec.request $(cat passos.csr | base64)

  5. Use the csr_req.yaml to create your resource

    kubectl create -f csr_req.yaml

  6. Approve the certificate

    kubectl certificate approve user-request-passos

  7. Get the new signed public key from the csr resource

    kubectl get csr user-request-passos -o jsonpath='{.status.certificate}' | base64 -D > passos.crt

  8. Create a kubeconfig file with the new credentials

    kubeconfig-passos.yaml

    apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: [[REDACTED]]
    server: [[REDACTED]]
  name: white
contexts:
- context:
    cluster: white
    user: passos
  name: white
current-context: white
kind: Config
preferences: {}
users:
- name: passos
  user:
    client-certificate-data: fill with crt base64 content
    client-key-data: fill with pem base64 content

  9. Fill the client-certificate-data with the .crt content in base64 format

    manually

    cat passos.crt | base64 | pbcopy

    or

    automaticlly

    yq w -i kubeconfig-passos.yaml users[0].user.client-certificate-data $(cat passos.crt | base64)

  10. Fill the client-key-data with the .crt content in base64 format

    manually

    cat passos.pem | base64 | pbcopy

    automaticlly

    yq w -i kubeconfig-passos.yaml users[0].user.client-key-data $(cat passos.pem | base64)

  11. Test that the new user was created successfully using kubectl

    kubectl --kubeconfig kubeconfig-passos.yaml get pods

    If all works fine, you should get something like this:

    Error from server (Forbidden): pods is forbidden: User "passos" cannot list resource "pods" in API group "" in the namespace "default"

Authorization

  1. List all roles

    kubectl get roles --all-namespaces

  2. List all cluster roles

    kubectl get clusterroles

  3. List all resources/verbs admin role has

    kubectl get clusterroles admin -o yaml

  4. Give admin credentials to the new user withint the default namespace

    kubectl create rolebinding passos --clusterrole=admin --user=passos

  5. List all rolebinding

    kubectl get rolebinding

  6. List all nodes using the user created

    kubectl --kubeconfig=kubeconfig-passos.yaml get nodes

    You should get an error because the role admin don't give you the power of list the nodes

    Error from server (Forbidden): nodes is forbidden: User "passos" cannot list resource "nodes" in API group "" at the cluster scope

  7. List all pods using the user created

    kubectl --kubeconfig=kubeconfig-passos.yaml get pods

    You should see the list of the pods on this cluster

  8. Create a new namespace

    kubectl create namespace foo

  9. List all namescapes

    kubectl get namespace

  10. Try to list all pods in the new foo namespace with the new user

    kubectl --kubeconfig=kubeconfig-passos.yaml get pods -n foo

    You should get an error because the role admin was gave within default namespace

    Error from server (Forbidden): pods is forbidden: User "passos" cannot list resource "pods" in API group "" in the namespace "foo"

  11. Give readOnly accees to the new user for all namespaces

    kubectl create clusterrolebinding passos-ro --clusterrole=view --user=passos

  12. Try to list all pods in the new foo namespace with the new user

    kubectl --kubeconfig=kubeconfig-passos.yaml get pods -n foo

  13. Try to deploy the kuard in the foo namespace

    kubectl --kubeconfig=kubeconfig-passos.yaml run --image=gcr.io/kuar-demo/kuard-amd64:1 kuard -n foo

    You should get an error because the new user is readyOnly (view) in the foo namespace

    Error from server (Forbidden): deployments.apps is forbidden: User "passos" cannot create resource "deployments" in API group "apps" in the namespace "foo"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment