Difference between revisions of "Kubernetes RBAC"
Jump to navigation
Jump to search
| Line 11: | Line 11: | ||
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#:~:text=Set%20the%20security%20context%20for%20a%20Pod&text=In%20the%20configuration%20file%2C%20the,run%20with%20user%20ID%201000.&text=Any%20files%20created%20will%20also,3000%20when%20runAsGroup%20is%20specified. | https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#:~:text=Set%20the%20security%20context%20for%20a%20Pod&text=In%20the%20configuration%20file%2C%20the,run%20with%20user%20ID%201000.&text=Any%20files%20created%20will%20also,3000%20when%20runAsGroup%20is%20specified. | ||
| + | |||
| + | |||
| + | ``` | ||
| + | After going through all the above mentioned block, I found below solution | ||
| + | |||
| + | Create user CSR | ||
| + | openssl genrsa -out user1.key 2048 | ||
| + | openssl req -new -key user1.key -out user1.csr | ||
| + | |||
| + | Approve CSR | ||
| + | openssl x509 -req -in user1.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out user1.crt -days 500 | ||
| + | |||
| + | Create Role or ClusterRole | ||
| + | cat role.yml | ||
| + | kind: Role | ||
| + | apiVersion: rbac.authorization.k8s.io/v1beta1 4 | ||
| + | metadata: | ||
| + | namespace: test-namespace | ||
| + | name: user1-role | ||
| + | rules: | ||
| + | - apiGroups: ["", “extensions”, “apps”] | ||
| + | resources: [“deployments”, “pods”, “services”] | ||
| + | verbs: [“get”, “list”, “watch”, “create”, “update”, “patch”, “delete”] | ||
| + | |||
| + | Create RoleBindings | ||
| + | cat binding.yml | ||
| + | kind: RoleBinding | ||
| + | apiVersion: rbac.authorization.k8s.io/v1beta1 4 | ||
| + | metadata: | ||
| + | name: user1-rolebinding | ||
| + | namespace: test-namespace | ||
| + | subjects: | ||
| + | |||
| + | kind: User | ||
| + | name: user1 | ||
| + | apiGroup: “” | ||
| + | roleRef: | ||
| + | kind: Role | ||
| + | name: user1-role | ||
| + | apiGroup: “” | ||
| + | Use it | ||
| + | kubectl config set-credentials user1 --client-certificate=/root/user1.crt --client-key=user1.key | ||
| + | |||
| + | kubectl config set-context user1-context --cluster=kubernetes --namespace=test-namespace --user=user1 | ||
| + | ``` | ||
Revision as of 21:21, 22 August 2021
https://discuss.kubernetes.io/t/how-to-create-user-in-kubernetes-cluster-and-give-it-access/9101
https://kubernetes.io/docs/reference/access-authn-authz/authentication/
https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html
https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html
After going through all the above mentioned block, I found below solution Create user CSR openssl genrsa -out user1.key 2048 openssl req -new -key user1.key -out user1.csr Approve CSR openssl x509 -req -in user1.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out user1.crt -days 500 Create Role or ClusterRole cat role.yml kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 4 metadata: namespace: test-namespace name: user1-role rules: - apiGroups: ["", “extensions”, “apps”] resources: [“deployments”, “pods”, “services”] verbs: [“get”, “list”, “watch”, “create”, “update”, “patch”, “delete”] Create RoleBindings cat binding.yml kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 4 metadata: name: user1-rolebinding namespace: test-namespace subjects: kind: User name: user1 apiGroup: “” roleRef: kind: Role name: user1-role apiGroup: “” Use it kubectl config set-credentials user1 --client-certificate=/root/user1.crt --client-key=user1.key kubectl config set-context user1-context --cluster=kubernetes --namespace=test-namespace --user=user1