Kubernetes RBAC
Jump to navigation
Jump to search
https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html
https://stackoverflow.com/questions/66296470/accessing-k8s-cluster-with-service-account-token
1
Yes, it is possible. For instance, if you login K8S dashboard via token it does use the same way.
Follow these steps;
Create a service account
$ kubectl -n <your-namespace-optional> create serviceaccount <service-account-name>
A role binding grants the permissions defined in a role to a user or set of users. You can use a predefined role or you can create your own. Check this link for more info. https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-example
$ kubectl create clusterrolebinding <binding-name> --clusterrole=cluster-admin --serviceaccount=<namespace>:<service-account-name>
Get the token name
$ TOKENNAME=`kubectl -n <namespace> get serviceaccount/<service-account-name> -o jsonpath='{.secrets[0].name}'`
Finally, get the token and set the credentials
$ kubectl -n <namespace> get secret $TOKENNAME -o jsonpath='{.data.token}'| base64 --decode
$ kubectl config set-credentials <service-account-name> --token=<output from previous command>
$ kubectl config set-context --current --user=<service-account-name>
If you follow these steps carefully your problem will be solved.
https://discuss.kubernetes.io/t/how-to-create-user-in-kubernetes-cluster-and-give-it-access/9101
https://kubernetes.io/docs/reference/access-authn-authz/authentication/
https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html
https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html
After going through all the above mentioned block, I found below solution Create user CSR openssl genrsa -out user1.key 2048 openssl req -new -key user1.key -out user1.csr Approve CSR openssl x509 -req -in user1.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out user1.crt -days 500 Create Role or ClusterRole cat role.yml kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 4 metadata: namespace: test-namespace name: user1-role rules: - apiGroups: ["", “extensions”, “apps”] resources: [“deployments”, “pods”, “services”] verbs: [“get”, “list”, “watch”, “create”, “update”, “patch”, “delete”] Create RoleBindings cat binding.yml kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 4 metadata: name: user1-rolebinding namespace: test-namespace subjects: kind: User name: user1 apiGroup: “” roleRef: kind: Role name: user1-role apiGroup: “” Use it kubectl config set-credentials user1 --client-certificate=/root/user1.crt --client-key=user1.key kubectl config set-context user1-context --cluster=kubernetes --namespace=test-namespace --user=user1