Skip to content

Instantly share code, notes, and snippets.

@fragolinux

fragolinux/k8s_add_user_clusterrole.sh

Last active April 15, 2022 20:01
Show Gist options
  • Save fragolinux/7a7e152fde630452d406510f0cb6c889 to your computer and use it in GitHub Desktop.
Save fragolinux/7a7e152fde630452d406510f0cb6c889 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. fragolinux revised this gist Mar 14, 2022. 1 changed file with 4 additions and 1 deletion.
    5 changes: 4 additions & 1 deletion k8s_add_user_clusterrole.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -64,10 +64,13 @@ rm "${cert_name}".csr
    rm cfssl.json

    PS3='Choose cluster role: '
    options=("admin" "edit" "view" "Quit")
    options=("cluster-admin" "admin" "edit" "view")
    select role in "${options[@]}"
    do
    case $role in
    "cluster-admin")
    break
    ;;
    "admin")
    break
    ;;
  2. fragolinux revised this gist Mar 14, 2022. 1 changed file with 14 additions and 15 deletions.
    29 changes: 14 additions & 15 deletions k8s_add_user_clusterrole.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -17,13 +17,13 @@ echor(){
    [ ! "$(command -v cfssl)" ] && echor "cfssl not found, please install it" && exit 1
    [ ! "$(command -v cfssljson)" ] && echor "cfssljson not found, please install it" && exit 1

    name="${1}"
    csr_name="${name}-client-csr"
    cert_name="${name}-client"
    NAME="${1}"
    csr_name="${NAME}-client-csr"
    cert_name="${NAME}-client"

    IFS= read -rd '' cfssltemplate << EOF
    {
    "CN": "${USER}",
    "CN": "${NAME}",
    "key": {
    "algo": "ecdsa",
    "size": 256
    @@ -81,17 +81,16 @@ do
    esac
    done

    echog "This will add ${name} as a ${role} for all namespaces."
    echog "This will add ${NAME} as a ${role} for all namespaces."

    kubectl create clusterrolebinding "${name}" --user="${name}" --clusterrole="${role}"
    kubectl create clusterrolebinding "${NAME}" --user="${NAME}" --clusterrole="${role}"

    export USER=$1
    export CLUSTER_CA=$(kubectl get secret -o jsonpath="{.items[?(@.type==\"kubernetes.io/service-account-token\")].data['ca\.crt']}")
    export CURRENT_CONTEXT=$(kubectl config current-context)
    export CLUSTER_NAME=$(kubectl config get-contexts "${CURRENT_CONTEXT}" | awk '{print $3}' | tail -n 1)
    export CLUSTER_ENDPOINT=$(kubectl config view -o jsonpath="{.clusters[?(@.name == \"${CLUSTER_NAME}\")].cluster.server}")
    export CLIENT_CERTIFICATE_DATA=$(cat "${USER}"-client.crt | base64 | tr -d "\n")
    export CLIENT_KEY_DATA=$(cat "${USER}"-client-key.pem | base64 | tr -d "\n")
    export CLIENT_CERTIFICATE_DATA=$(cat "${NAME}"-client.crt | base64 | tr -d "\n")
    export CLIENT_KEY_DATA=$(cat "${NAME}"-client-key.pem | base64 | tr -d "\n")

    IFS= read -rd '' kubeconfigtemplate << EOF
    apiVersion: v1
    @@ -102,17 +101,17 @@ clusters:
    server: ${CLUSTER_ENDPOINT}
    name: ${CLUSTER_NAME}
    users:
    - name: ${USER}
    - name: ${NAME}
    user:
    client-certificate-data: ${CLIENT_CERTIFICATE_DATA}
    client-key-data: ${CLIENT_KEY_DATA}
    contexts:
    - context:
    cluster: ${CLUSTER_NAME}
    user: ${USER}
    name: ${USER}-${CLUSTER_NAME}
    current-context: ${USER}-${CLUSTER_NAME}
    user: ${NAME}
    name: ${NAME}-${CLUSTER_NAME}
    current-context: ${NAME}-${CLUSTER_NAME}
    EOF

    echog "Exporting preconfigured kubeconfig-${USER}"
    echo -e "$kubeconfigtemplate" | envsubst > kubeconfig-"${USER}"
    echog "Exporting preconfigured kubeconfig-${NAME}"
    echo -e "$kubeconfigtemplate" | envsubst > kubeconfig-"${NAME}"
  3. fragolinux created this gist Mar 14, 2022.
    118 changes: 118 additions & 0 deletions k8s_add_user_clusterrole.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,118 @@
    #!/usr/bin/env bash
    # shellcheck disable=2155

    GREEN="\033[0;32m"
    RED="\033[0;31m"
    COLOR_RESET="\033[0m"

    echog(){
    echo;echo;echo -e "### ${GREEN}${1}${COLOR_RESET} ###"
    }

    echor(){
    echo;echo;echo -e ">>> ${RED}${1}${COLOR_RESET} <<<"
    }

    [ "${1}" == "" ] && echor "Please provide username as parameter, aborting..." && exit 1
    [ ! "$(command -v cfssl)" ] && echor "cfssl not found, please install it" && exit 1
    [ ! "$(command -v cfssljson)" ] && echor "cfssljson not found, please install it" && exit 1

    name="${1}"
    csr_name="${name}-client-csr"
    cert_name="${name}-client"

    IFS= read -rd '' cfssltemplate << EOF
    {
    "CN": "${USER}",
    "key": {
    "algo": "ecdsa",
    "size": 256
    }
    }
    EOF

    echo -e "$cfssltemplate" | envsubst > cfssl.json

    echog "Creating signing request"
    cfssl genkey cfssl.json | cfssljson -bare "${cert_name}"

    cat <<EOF | kubectl create -f -
    apiVersion: certificates.k8s.io/v1
    kind: CertificateSigningRequest
    metadata:
    name: ${csr_name}
    spec:
    signerName: kubernetes.io/kube-apiserver-client
    groups:
    - system:authenticated
    request: $(base64 "${cert_name}".csr | tr -d '\n')
    usages:
    - digital signature
    - key encipherment
    - client auth
    EOF

    echog "Approving signing request"
    kubectl certificate approve "${csr_name}"

    echog "Downloading certificate"
    kubectl get csr "${csr_name}" -o jsonpath='{.status.certificate}' | base64 --decode > "${cert_name}".crt

    echog "Removing temp files and resources"
    kubectl delete csr "${csr_name}"
    rm "${cert_name}".csr
    rm cfssl.json

    PS3='Choose cluster role: '
    options=("admin" "edit" "view" "Quit")
    select role in "${options[@]}"
    do
    case $role in
    "admin")
    break
    ;;
    "edit")
    break
    ;;
    "view")
    break
    ;;
    *) echo "invalid option $REPLY";;
    esac
    done

    echog "This will add ${name} as a ${role} for all namespaces."

    kubectl create clusterrolebinding "${name}" --user="${name}" --clusterrole="${role}"

    export USER=$1
    export CLUSTER_CA=$(kubectl get secret -o jsonpath="{.items[?(@.type==\"kubernetes.io/service-account-token\")].data['ca\.crt']}")
    export CURRENT_CONTEXT=$(kubectl config current-context)
    export CLUSTER_NAME=$(kubectl config get-contexts "${CURRENT_CONTEXT}" | awk '{print $3}' | tail -n 1)
    export CLUSTER_ENDPOINT=$(kubectl config view -o jsonpath="{.clusters[?(@.name == \"${CLUSTER_NAME}\")].cluster.server}")
    export CLIENT_CERTIFICATE_DATA=$(cat "${USER}"-client.crt | base64 | tr -d "\n")
    export CLIENT_KEY_DATA=$(cat "${USER}"-client-key.pem | base64 | tr -d "\n")

    IFS= read -rd '' kubeconfigtemplate << EOF
    apiVersion: v1
    kind: Config
    clusters:
    - cluster:
    certificate-authority-data: ${CLUSTER_CA}
    server: ${CLUSTER_ENDPOINT}
    name: ${CLUSTER_NAME}
    users:
    - name: ${USER}
    user:
    client-certificate-data: ${CLIENT_CERTIFICATE_DATA}
    client-key-data: ${CLIENT_KEY_DATA}
    contexts:
    - context:
    cluster: ${CLUSTER_NAME}
    user: ${USER}
    name: ${USER}-${CLUSTER_NAME}
    current-context: ${USER}-${CLUSTER_NAME}
    EOF

    echog "Exporting preconfigured kubeconfig-${USER}"
    echo -e "$kubeconfigtemplate" | envsubst > kubeconfig-"${USER}"