Skip to content

Instantly share code, notes, and snippets.

@harshal-shah

harshal-shah/k8s_read_only_user.md

Last active May 25, 2018 05:12
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save harshal-shah/c69cf2636ffbe2e2aca8b18a69a144f4 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save harshal-shah/c69cf2636ffbe2e2aca8b18a69a144f4 to your computer and use it in GitHub Desktop.
Download ZIP
ReadOnly user for k8s 1.8 and over
Raw
k8s_read_only_user.md

#Steps for RO user

Generate RSA key

openssl genrsa -out ./kops_ro.key 2048

export CLIENT_KEY_PATH=${PWD}/kops_ro.key export CLIENT_CSR_PATH=${PWD}/kops_ro.csr export NAME=kops-qa

Generate CSR

openssl req -new
-key $CLIENT_KEY_PATH
-out $CLIENT_CSR_PATH
-subj "/CN=$NAME/O=system:authenticated"

submit CSR object

apiVersion: certificates.k8s.io/v1beta1 kind: CertificateSigningRequest metadata: name: kops-qa-ro spec: groups:

  • system:authenticated #request: $(cat kops_ro.csr | base64 | tr -d '\n') request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2RqQ0NBVjRDQVFBd01URVFNQTRHQTFVRUF3d0hhMjl3Y3kxeFlURWRNQnNHQTFVRUNnd1VjM2x6ZEdWdApPbUYxZEdobGJuUnBZMkYwWldRd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURTCitFU1NMaVhDK0s4dXk3dXp0QWNlZ2wrSzRocXFMT2NvTUEzbzR1UmM2ZzJlUHhNcDc2VnlYcUxHNkNVZWtKR0MKeWtpbkxiUG9XM2lpWlc0OTdaZjR0UkJIR3RVU2wxQjRwcWdadjFJc0xiSnEwc1MwNURoeDlMUHFrTUl6eCtuMgpMa2xLd25jYUwvRFV1QmdJRjJpak1SNERLQVZqWGlUR1I3dnRuaFJneC9oNkRmR1dKNmVZdms1Zk5PLzYxNjA3CnJENTMrdzBrUTlmdUowbnRIbkFwYWVjalluUlJVeXluZm5wNnNTN3ZrUTJ1NGlQS0dqSEk0OS90UzljcWpiWk0KbUQ3eTlDYVdTVGNtNDBvdXRVOVpLN2tIRlJEMDI0YWdOejN2RzFkKzk0SSthaFdHRkk4NWIwNGc4djVPaFZySApTQnRnUlFFU0c5cjViQkdKVDM4OUFnTUJBQUdnQURBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQVBhSVJDUUUyCkY4cWxTNVZmeWZvM2J1dno0a3VuNlFPMGVyalRQTGl5N01BdUZ5cGhoM2p3YnNqOXp2eXh0aEIzM3RPVEpMcWwKS3g3YmUwZmNkVlcyQ2F4cDQxN2F0MDhCbExORllDQk1hM21mRUV2aWkxZnZiZTJlYkRjUHdxSWpyVFp0eDZMOAppT1pvVHM2Wm02ODN6UHh4eXZ6d1g4TGpLVGNsSmUwUTl3dCtIekhxZ3BKUzRlTHBQcldDY3NGcXNUVlRIeXJjCk41TlF5TW15QWpyM0pmdmI2OUxiRXJKYXRqdmJUTk9sUFNwTitUaUlFNkNjNG0xNE1XYlBNQW5jYWJjam5Cd1MKWUdYSkVPdTExeVR6QVhZT3plMWNTV1R2L1hhZHM4ZW9pWFhKT1BMMk9Xai9zSUNiYS9ZTUZYZjVxclNNSllWagpNb212eWpUV01WaEV0Zz09Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo= usages:
  • digital signature
  • key encipherment
  • client auth

k apply -f /home/dev/k8s-ro/csr_object.yaml

Approve CSR

kubectl certificate approve kops-qa-ro

Get approved client certificate

kubectl get csr kops-qa-ro -o jsonpath='{.status.certificate}' | base64 --decode > approved_kops_ro.crt

Generate kubeconfig with new cert and private key

apiVersion: v1 clusters:

  • cluster: certificate-authority-data: {{BASE64_ENCODED_CA - can be taken from admin's kubeconfig}} server: {{API SERVER URL - can be taken from admin's kubeconfig}} name: {{NAME OF CLUSTER - can be taken from admin's kubeconfig}} contexts:
  • context: cluster: {{NAME OF CLUSTER - can be taken from admin's kubeconfig}} namespace: default user: {{USERNAME as created for CSR}} name: default current-context: default kind: Config preferences: {} users:
  • name: {{USERNAME as created for CSR}} user: as-user-extra: {} client-certificate-data: {{BASE64_ENCODED_Approved_Cert}} client-key-data: {{BASE64_ENCODED_Private_Key}}

Give read only privileges to the user

Bind default clusterrole view to the user

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kops-read-only roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: view subjects:

  • apiGroup: rbac.authorization.k8s.io kind: User name: kops-qa
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment