- connect to any master node and get the ca.pem and ca-key.pem from /etc/kubernetes/ssl
- create new user, in this example we call this user "testuser"
openssl genrsa -out testuser.key 2048
openssl req -new -key testuser.key -out testuser.csr -subj "/CN=testuser/O=testuser"
openssl x509 -req -in testuser.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out testuser.crt -days 500- create role-deployment-manager.yaml :
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: office
name: deployment-manager
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # You can also use ["*"] - create rolebinding-deployment-manager.yaml
$kubectl config set-credentials testuser --client-certificate=/home/testuser/.certs/testuser.crt --client-key=/home/testuser/.certs/testuser.key
$kubectl config set-context testuser-context --cluster=testcluster --namespace=office --user=testuser- kubectl create -f both files and then test with kubectl --context=testuser-context get pods, confirm restriction by changing adding -ndefault to see if default namespace access is denied
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: deployment-manager-binding
namespace: office
subjects:
- kind: User
name: testuser
apiGroup: ""
roleRef:
kind: Role
name: deployment-manager
apiGroup: ""
