Sunday, January 28, 2018

[Kubernetes] How to create a new restricted RBAC user in Kubernetes 1.9

  1. connect to any master node and get the ca.pem and ca-key.pem from /etc/kubernetes/ssl
  2. create new user, in this example we call this user "testuser"
  3. openssl genrsa -out testuser.key 2048
    openssl req -new -key testuser.key -out testuser.csr -subj "/CN=testuser/O=testuser"
    openssl x509 -req -in testuser.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out testuser.crt -days 500
  4. create role-deployment-manager.yaml :
      kind: Role
      apiVersion: rbac.authorization.k8s.io/v1beta1
      metadata:
        namespace: office
        name: deployment-manager
      rules:
      - apiGroups: ["", "extensions", "apps"]
        resources: ["deployments", "replicasets", "pods"]
        verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # You can also use ["*"]
      
  5. create rolebinding-deployment-manager.yaml
  6. kind: RoleBinding
      apiVersion: rbac.authorization.k8s.io/v1beta1
      metadata:
        name: deployment-manager-binding
        namespace: office
      subjects:
      - kind: User
        name: testuser
        apiGroup: ""
      roleRef:
        kind: Role
        name: deployment-manager
        apiGroup: ""

  7. $kubectl config set-credentials testuser --client-certificate=/home/testuser/.certs/testuser.crt  --client-key=/home/testuser/.certs/testuser.key
    $kubectl config set-context testuser-context --cluster=testcluster --namespace=office --user=testuser
  8.  kubectl create -f both files and then test with kubectl --context=testuser-context get pods, confirm restriction by changing adding -ndefault to see if default namespace access is denied

No comments:

Post a Comment