Last active
May 25, 2018 05:12
-
-
Save harshal-shah/c69cf2636ffbe2e2aca8b18a69a144f4 to your computer and use it in GitHub Desktop.
Revisions
-
Harshal Shah revised this gist
May 25, 2018 . 1 changed file with 4 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,21 +2,21 @@ ## Generate RSA key ~~~ openssl genrsa -out ./kops_ro.key 2048 export CLIENT_KEY_PATH=${PWD}/kops_ro.key export CLIENT_CSR_PATH=${PWD}/kops_ro.csr export NAME=kops-qa ~~~ ## Generate CSR ~~~ openssl req -new \ -key $CLIENT_KEY_PATH \ -out $CLIENT_CSR_PATH \ -subj "/CN=$NAME/O=system:authenticated" ~~~ ## submit CSR object ~~~ -
May 25, 2018 . 1 changed file with 11 additions and 9 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,4 +1,4 @@ # Steps for RO user ## Generate RSA key @@ -19,7 +19,7 @@ openssl req -new \ ## submit CSR object ~~~ apiVersion: certificates.k8s.io/v1beta1 kind: CertificateSigningRequest metadata: @@ -33,19 +33,20 @@ spec: - digital signature - key encipherment - client auth ~~~ Apply the CSR obbject `kubectl apply -f /home/dev/k8s-ro/csr_object.yaml` ## Approve CSR `kubectl certificate approve kops-qa-ro` ## Get approved client certificate `kubectl get csr kops-qa-ro -o jsonpath='{.status.certificate}' | base64 --decode > approved_kops_ro.crt` ## Generate kubeconfig with new cert and private key ~~~ apiVersion: v1 clusters: - cluster: @@ -67,10 +68,10 @@ users: as-user-extra: {} client-certificate-data: {{BASE64_ENCODED_Approved_Cert}} client-key-data: {{BASE64_ENCODED_Private_Key}} ~~~ ## Give read only privileges to the user Bind default clusterrole view to the user ~~~ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -83,3 +84,4 @@ subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: kops-qa ~~~ -
May 25, 2018 . No changes.There are no files selected for viewing
-
May 25, 2018 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,85 @@ #Steps for RO user ## Generate RSA key openssl genrsa -out ./kops_ro.key 2048 export CLIENT_KEY_PATH=${PWD}/kops_ro.key export CLIENT_CSR_PATH=${PWD}/kops_ro.csr export NAME=kops-qa ## Generate CSR openssl req -new \ -key $CLIENT_KEY_PATH \ -out $CLIENT_CSR_PATH \ -subj "/CN=$NAME/O=system:authenticated" ## submit CSR object apiVersion: certificates.k8s.io/v1beta1 kind: CertificateSigningRequest metadata: name: kops-qa-ro spec: groups: - system:authenticated #request: $(cat kops_ro.csr | base64 | tr -d '\n') request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2RqQ0NBVjRDQVFBd01URVFNQTRHQTFVRUF3d0hhMjl3Y3kxeFlURWRNQnNHQTFVRUNnd1VjM2x6ZEdWdApPbUYxZEdobGJuUnBZMkYwWldRd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURTCitFU1NMaVhDK0s4dXk3dXp0QWNlZ2wrSzRocXFMT2NvTUEzbzR1UmM2ZzJlUHhNcDc2VnlYcUxHNkNVZWtKR0MKeWtpbkxiUG9XM2lpWlc0OTdaZjR0UkJIR3RVU2wxQjRwcWdadjFJc0xiSnEwc1MwNURoeDlMUHFrTUl6eCtuMgpMa2xLd25jYUwvRFV1QmdJRjJpak1SNERLQVZqWGlUR1I3dnRuaFJneC9oNkRmR1dKNmVZdms1Zk5PLzYxNjA3CnJENTMrdzBrUTlmdUowbnRIbkFwYWVjalluUlJVeXluZm5wNnNTN3ZrUTJ1NGlQS0dqSEk0OS90UzljcWpiWk0KbUQ3eTlDYVdTVGNtNDBvdXRVOVpLN2tIRlJEMDI0YWdOejN2RzFkKzk0SSthaFdHRkk4NWIwNGc4djVPaFZySApTQnRnUlFFU0c5cjViQkdKVDM4OUFnTUJBQUdnQURBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQVBhSVJDUUUyCkY4cWxTNVZmeWZvM2J1dno0a3VuNlFPMGVyalRQTGl5N01BdUZ5cGhoM2p3YnNqOXp2eXh0aEIzM3RPVEpMcWwKS3g3YmUwZmNkVlcyQ2F4cDQxN2F0MDhCbExORllDQk1hM21mRUV2aWkxZnZiZTJlYkRjUHdxSWpyVFp0eDZMOAppT1pvVHM2Wm02ODN6UHh4eXZ6d1g4TGpLVGNsSmUwUTl3dCtIekhxZ3BKUzRlTHBQcldDY3NGcXNUVlRIeXJjCk41TlF5TW15QWpyM0pmdmI2OUxiRXJKYXRqdmJUTk9sUFNwTitUaUlFNkNjNG0xNE1XYlBNQW5jYWJjam5Cd1MKWUdYSkVPdTExeVR6QVhZT3plMWNTV1R2L1hhZHM4ZW9pWFhKT1BMMk9Xai9zSUNiYS9ZTUZYZjVxclNNSllWagpNb212eWpUV01WaEV0Zz09Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo= usages: - digital signature - key encipherment - client auth k apply -f /home/dev/k8s-ro/csr_object.yaml ## Approve CSR kubectl certificate approve kops-qa-ro ## Get approved client certificate kubectl get csr kops-qa-ro -o jsonpath='{.status.certificate}' | base64 --decode > approved_kops_ro.crt ## Generate kubeconfig with new cert and private key apiVersion: v1 clusters: - cluster: certificate-authority-data: {{BASE64_ENCODED_CA - can be taken from admin's kubeconfig}} server: {{API SERVER URL - can be taken from admin's kubeconfig}} name: {{NAME OF CLUSTER - can be taken from admin's kubeconfig}} contexts: - context: cluster: {{NAME OF CLUSTER - can be taken from admin's kubeconfig}} namespace: default user: {{USERNAME as created for CSR}} name: default current-context: default kind: Config preferences: {} users: - name: {{USERNAME as created for CSR}} user: as-user-extra: {} client-certificate-data: {{BASE64_ENCODED_Approved_Cert}} client-key-data: {{BASE64_ENCODED_Private_Key}} ## Give read only privileges to the user Bind default clusterrole view to the user apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kops-read-only roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: view subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: kops-qa
Harshal Shah
revised
this gist