-
-
Save henning/2dda0b704426c66e78e355703a8dc177 to your computer and use it in GitHub Desktop.
| #!/bin/bash | |
| CLUSTERNAME=mycluster.mydomain | |
| NAMESPACE=default | |
| USERNAME=myclusteruser | |
| GROUPNAME=mygroup | |
| openssl genrsa -out ${USERNAME}.key 2048 | |
| CSR_FILE=$USERNAME.csr | |
| KEY_FILE=$USERNAME.key | |
| openssl req -new -key $KEY_FILE -out $CSR_FILE -subj "/CN=$USERNAME/O=$GROUPNAME" | |
| CERTIFICATE_NAME=$USERNAME.$NAMESPACE | |
| cat <<EOF | kubectl create -f - | |
| apiVersion: certificates.k8s.io/v1beta1 | |
| kind: CertificateSigningRequest | |
| metadata: | |
| name: $CERTIFICATE_NAME | |
| spec: | |
| groups: | |
| - system:authenticated | |
| request: $(cat $CSR_FILE | base64 | tr -d '\n') | |
| usages: | |
| - digital signature | |
| - key encipherment | |
| - server auth | |
| EOF | |
| kubectl certificate approve $CERTIFICATE_NAME | |
| CRT_FILE=$USERNAME.crt | |
| kubectl get csr $CERTIFICATE_NAME -o jsonpath='{.status.certificate}' | base64 -D > $CRT_FILE | |
| cat <<EOF | kubectl create -f - | |
| kind: Role | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| metadata: | |
| namespace: $NAMESPACE | |
| name: deployment-manager | |
| rules: | |
| - apiGroups: ["", "extensions", "apps"] | |
| resources: ["deployments", "replicasets", "pods"] | |
| verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # You can also use ["*"] | |
| EOF | |
| cat <<EOF | kubectl create -f - | |
| kind: RoleBinding | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| metadata: | |
| name: $USERNAME-deployment-manager-binding | |
| namespace: $NAMESPACE | |
| subjects: | |
| - kind: User | |
| name: $USERNAME | |
| apiGroup: "" | |
| roleRef: | |
| kind: Role | |
| name: deployment-manager | |
| apiGroup: "" | |
| EOF | |
| kubectl config set-credentials $USERNAME \ | |
| --client-certificate=$(pwd)/$CRT_FILE \ | |
| --client-key=$(pwd)/$KEY_FILE | |
| kubectl config set-context $USERNAME-context --cluster=$CLUSTERNAME --namespace=$NAMESPACE --user=$USERNAME | |
As I said, there are not good recipes available for doing this. Most of the Kubernetes documentation is focused on helping services communicate with each other securely. I found a KOPS or Kubenetes Jira ticket (cannot remember which) that mentioned it.
The list of valid Key Usages I found here: https://godoc.org/k8s.io/kubernetes/pkg/apis/certificates#KeyUsage
Hi guys!
Thanks for your updates and hints on this!
I'm currently not working with any kubernetes installation, so I have no possibilities (and time) to test and comment on these things... actually I dont even remember completely how I wrote it.
Vaguely I remember it's partly command copied from some kubernetes docs(2 years ago!), banged together in one script and made more flexible with the variables so it can be executed simply and repeatedly, without error-prone manual interaction.
It's 2 years old, so i'm, surprised it still works halfway for a fast changing software as k8s. Also, I think I remember being surprised that a thing as "create a user" needed such a lot of additional scripting - and I'm again surprised this is still the case.
But great if this helped you a bit.
Hope sometime I will be able to play with k8s stuff again and try your changes :)
It works now. Thank you so much for your instruction. May I know where can I find the related document that mentions the details about
server authandclient auth? I once read the official document here, just not realized the issue here.