Generate kubectl config for user

doc.md

Kube config client

srv# kubectl create ns test
srv# kubectl create sa testuser
srv# SNAME=`kubectl get sa testuser -o go-template="{{ (index .secrets 0).name }}"`
srv# kubectl get secret $SNAME -o go-template='{{ index .data "ca.crt" }}' | base64 -d > server.ca

cli# kubectl config set-cluster ofd --server=https://<kube server ip>:6443 --embed-certs --certificate-authority=./server.ca

srv# TOKEN=`kubectl get secret $SNAME -o go-template='{{ .data.token }}' | base64 -d`

cli# kubectl config set-credentials testuser --token="$TOKEN"
cli# kubectl config set-context srv --cluster=srv
cli# kubectl config set-context srv --user=testuser
cli# kubectl config use-context srv

Add roles for view pods in namespace "test"

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods-testuser
  namespace: test
subjects:
- kind: ServiceAccount
  name: testuser
  namespace: default
  apiGroup: ""
roleRef:
  kind: Role
  name: pod-reader-testuser
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: test
  name: pod-reader-testuser
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

k_adduser.sh

#!/bin/sh
#
# ./k_adduser.sh <username> <kube server ip>
#

IP="${2:-127.0.0.1}"

kubectl create sa $1
SNAME=`kubectl get sa $1 -o go-template="{{ (index .secrets 0).name }}"`
CA=`kubectl get secret $SNAME -o go-template='{{ index .data "ca.crt" }}'`
TOKEN=`kubectl get secret $SNAME -o go-template='{{ .data.token }}' | base64 -d`

echo "apiVersion: v1"
echo "clusters:"
echo "- cluster:"
echo "    certificate-authority-data: $CA"
echo "    server: https://$IP:6443"
echo "  name: cluster"
echo "contexts:"
echo "- context:"
echo "    cluster: cluster"
echo "    user: $1"
echo "  name: context"
echo "current-context: context"
echo "kind: Config"
echo "preferences: {}"
echo "users:"
echo "- name: $1"
echo "  user:"
echo "    token: $TOKEN"