GitHub

Kubernetes generate user account and config

19 Apr 2021 / Mihai Nueleanu

Cover

How do you generate a kubernetes user account? How do you get access to your kubernetes cluster? How can you generate a kubernetes config file?

Intuitively, this should be pretty simple. However, in practice, the process is quite a bit convoluted.

However, I have automated it for myself. Below is the script, responsible for issuing cluster access, together with a kube config file, from start to finish.

Prerequisites:

How to use it:

The Script

# This script is responsible for issuing a cluster access 
# config file, which can afterwards be used by users or
# service integrations (such as github actions)

# Generate a key and a certificate signing request
# Hint: The CN field is important
openssl genrsa -out myuser.key 2048
openssl req -new -key myuser.key \
-subj "/C=DK/ST=DK/O=''/CN=myuser" \
-out myuser.csr

# Extract the certificate signing request
REQ=$(cat myuser.csr | base64 | tr -d "\n")

# Create a Kubernetes CSR object
# and approve it
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: myuser
spec:
groups:
- system:authenticated
request: $REQ
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
EOF

kubectl get csr
kubectl certificate approve myuser

# Extract the kubernetes-approved signed certificate
kubectl get csr myuser -o jsonpath='{.status.certificate}'| base64 -d > myuser.crt

# Create the user role role (with the appropriate access levels)
# and bind the user to the role
kubectl create role myuser --verb="*" --namespace pr-env \
--resource=pod \
--resource=service \
--resource=configmap \
--resource=secret \
--resource=ingress \
--resource=daemonset \
--resource=replicaset \
--resource=deployment \
--resource=job
kubectl create rolebinding myuser-binding --role=myuser --user=myuser

# Cleanup the Kubernetes CSR
kubectl delete csr myuser

# Extract config locally, into your config file
# Location: ~/.kube/config
kubectl config set-credentials myuser --client-key=myuser.key --client-certificate=myuser.crt --embed-certs=true
kubectl config set-context myuser --cluster=kubernetes --user=myuser
kubectl config use-context myuser

The test

As soon as you have generate the new context, and it has been activated locally, run a test command, such as:

kubectl get nodes
kubectl get pods
kubectl get services

Note: the script is written in a very bare-bones and simple way, so that it's easy to understand and modify for you own purposes.

Read more




kubernetes
config
generate
manage
access
rbac
user account
Clap Claps

Comments

Hi, I'm Mihai

This is the place where I put stuff that I find interesting. Welcome to Dot.Method

GitHub Resume Contact Uses