k8s rbac user sample.md

k8s example rbac for sysadmin

Just for exclude mistake like kubeconfig delete ns --all.

usage

• kubectl apply -f operator.yaml
• bash -xe kubeconfig.sh
• kubectl --kubeconfig operator-kubeconfig.yaml get ns,sa,po,hpa,rs,deploy,sts,pv,pvc,svc,ingress,secrets,ep,nodes > /dev/null

changelog

• fixed pod exec
• fixed scaling for rs,sts,deploy
• fixed logs reading

kubeconfig.sh

ENDPOINT=$(kubectl cluster-info | grep 'Kubernetes master' | awk '/http/ {print $NF}' | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g")
TOKEN=$(kubectl get secret $(kubectl get secrets | grep operator | awk '{print $1}') -o jsonpath="{['data']['token']}" | base64 --decode)
CA=$(kubectl get secret $(kubectl get secrets | grep operator | awk '{print $1}') -o jsonpath="{['data']['ca\.crt']}" | base64 --decode)
CABASE=$(kubectl get secret $(kubectl get secrets | grep operator | awk '{print $1}') -o jsonpath="{['data']['ca\.crt']}")
CONTEXT=$(kubectl config current-context)

cat << EOF > operator-kubeconfig.yaml
apiVersion: v1
kind: Config
users:
- name: operator
  user:
    token: ${TOKEN}
clusters:
- cluster:
    certificate-authority-data: ${CABASE}
    server: ${ENDPOINT}
  name: ${CONTEXT}
contexts:
- context:
    cluster: ${CONTEXT}
    user: operator
  name: ${CONTEXT}
current-context: ${CONTEXT}
EOF

operator.yaml

---
apiVersion: v1
kind: List
items:
- apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  metadata:
    name: operator
  rules:
  - nonResourceURLs:
    - /healthz
    - /livez
    - /readyz
    - /version
    - /version/
    verbs:
    - get
  - apiGroups:
    - metrics.k8s.io
    resources:
    - "*"
    verbs:
    - get
    - list
    - watch
    - create
    - delete
    - patch
    - update
  - apiGroups:
    - apps
    resources:
    - replicasets
    - replicasets/scale
    - deployments
    - deployments/scale
    - statefulsets
    - statefulsets/scale
    verbs:
    - get
    - list
    - watch
    - create
    - delete
    - patch
    - update
  - apiGroups:
    - ""
    resources:
    - persistentvolumes
    verbs:
    - get
    - list
    - watch
    - create
    - delete
    - patch
    - update
  - apiGroups:
    - storage.k8s.io
    resources:
    - storageclasses
    verbs:
    - get
    - list
    - watch
  - apiGroups:
    - ""
    resources:
    - events
    - nodes
    verbs:
    - get
    - list
    - watch
  - apiGroups:
    - ""
    resources:
    - pods
    - "pods/exec"
    - "pods/log"
    - "pods/logs"
    - podtemplates
    - horizontalpodautoscalers
    - poddisruptionbudgets
    - secrets
    - services
    - endpoints
    - persistentvolumeclaims
    - serviceaccounts
    verbs:
    - get
    - list
    - watch
    - create
    - delete
    - patch
    - update
  - apiGroups:
    - ""
    resources:
    - namespaces
    verbs:
    - get
    - list
    - watch
    - create
    - patch
    - update
  - apiGroups:
    - "rbac.authorization.k8s.io"
    resources:
    - clusterrolebindings
    - clusterroles
    - rolebindings
    - roles
    verbs:
    - get
    - list
    - watch
    - create
    - patch
    - update
    - delete
  - apiGroups:
    - "autoscaling"
    resources:
    - horizontalpodautoscalers
    verbs:
    - get
    - list
    - watch
    - create
    - patch
    - update
    - delete
  - apiGroups:
    - "extensions"
    resources:
    - ingresses
    verbs:
    - get
    - list
    - watch
    - create
    - patch
    - update
    - delete
- apiVersion: v1
  kind: ServiceAccount
  metadata:
    name: operator
- apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRoleBinding
  metadata:
    name: operator
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: operator
  subjects:
  - kind: ServiceAccount
    name: operator
    namespace: default