[Kubernetes] How to create a new restricted RBAC user in Kubernetes 1.9
- connect to any master node and get the ca.pem and ca-key.pem from /etc/kubernetes/ssl
- create new user, in this example we call this user "testuser"
openssl genrsa -out testuser.key 2048
openssl req -new -key testuser.key -out testuser.csr -subj "/CN=testuser/O=testuser"
openssl x509 -req -in testuser.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out testuser.crt -days 500
- create role-deployment-manager.yaml :
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: office
name: deployment-manager
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # You can also use ["*"]
- create rolebinding-deployment-manager.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: deployment-manager-binding
namespace: office
subjects:
- kind: User
name: testuser
apiGroup: ""
roleRef:
kind: Role
name: deployment-manager
apiGroup: ""
$kubectl config set-credentials testuser
--client-certificate=/home/testuser/.certs/testuser.crt
--client-key=/home/testuser/.certs/testuser.key
$kubectl config set-context testuser-context --cluster=testcluster --namespace=office --user=testuser
- kubectl create -f both files and then test with kubectl
--context=testuser-context get pods, confirm restriction by changing
adding -ndefault to see if default namespace access is denied
No comments:
Post a Comment