Created
September 27, 2017 12:25
-
-
Save henning/2dda0b704426c66e78e355703a8dc177 to your computer and use it in GitHub Desktop.
create k8s user, certificate, permissions and client config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| CLUSTERNAME=mycluster.mydomain | |
| NAMESPACE=default | |
| USERNAME=myclusteruser | |
| GROUPNAME=mygroup | |
| openssl genrsa -out ${USERNAME}.key 2048 | |
| CSR_FILE=$USERNAME.csr | |
| KEY_FILE=$USERNAME.key | |
| openssl req -new -key $KEY_FILE -out $CSR_FILE -subj "/CN=$USERNAME/O=$GROUPNAME" | |
| CERTIFICATE_NAME=$USERNAME.$NAMESPACE | |
| cat <<EOF | kubectl create -f - | |
| apiVersion: certificates.k8s.io/v1beta1 | |
| kind: CertificateSigningRequest | |
| metadata: | |
| name: $CERTIFICATE_NAME | |
| spec: | |
| groups: | |
| - system:authenticated | |
| request: $(cat $CSR_FILE | base64 | tr -d '\n') | |
| usages: | |
| - digital signature | |
| - key encipherment | |
| - server auth | |
| EOF | |
| kubectl certificate approve $CERTIFICATE_NAME | |
| CRT_FILE=$USERNAME.crt | |
| kubectl get csr $CERTIFICATE_NAME -o jsonpath='{.status.certificate}' | base64 -D > $CRT_FILE | |
| cat <<EOF | kubectl create -f - | |
| kind: Role | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| metadata: | |
| namespace: $NAMESPACE | |
| name: deployment-manager | |
| rules: | |
| - apiGroups: ["", "extensions", "apps"] | |
| resources: ["deployments", "replicasets", "pods"] | |
| verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # You can also use ["*"] | |
| EOF | |
| cat <<EOF | kubectl create -f - | |
| kind: RoleBinding | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| metadata: | |
| name: $USERNAME-deployment-manager-binding | |
| namespace: $NAMESPACE | |
| subjects: | |
| - kind: User | |
| name: $USERNAME | |
| apiGroup: "" | |
| roleRef: | |
| kind: Role | |
| name: deployment-manager | |
| apiGroup: "" | |
| EOF | |
| kubectl config set-credentials $USERNAME \ | |
| --client-certificate=$(pwd)/$CRT_FILE \ | |
| --client-key=$(pwd)/$KEY_FILE | |
| kubectl config set-context $USERNAME-context --cluster=$CLUSTERNAME --namespace=$NAMESPACE --user=$USERNAME | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi guys!
Thanks for your updates and hints on this!
I'm currently not working with any kubernetes installation, so I have no possibilities (and time) to test and comment on these things... actually I dont even remember completely how I wrote it.
Vaguely I remember it's partly command copied from some kubernetes docs(2 years ago!), banged together in one script and made more flexible with the variables so it can be executed simply and repeatedly, without error-prone manual interaction.
It's 2 years old, so i'm, surprised it still works halfway for a fast changing software as k8s. Also, I think I remember being surprised that a thing as "create a user" needed such a lot of additional scripting - and I'm again surprised this is still the case.
But great if this helped you a bit.
Hope sometime I will be able to play with k8s stuff again and try your changes :)