Last active
April 24, 2019 20:57
-
-
Save mohanpedala/ffc411e382fea095d053b492fa35b5b1 to your computer and use it in GitHub Desktop.
Revisions
-
Mohan P Edala revised this gist
Apr 24, 2019 . 1 changed file with 4 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -26,7 +26,10 @@ endpoint=`kubectl config view -o jsonpath="{.clusters[?(@.name == \"$name\")].cluster.server}"` On a fresh machine, follow these steps (given the ca.cert and $endpoint information retrieved above: ``` ##### Pre-req for following steps: - Kubectl 7. Set cluster (run in directory where ca.crt is stored) ``` kubectl config set-cluster cluster-staging \ -
Apr 24, 2019 . 1 changed file with 62 additions and 55 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,58 +1,65 @@ 1. Create service account for user Alice ``` kubectl create sa alice ``` 2. Get related secret ``` secret=$(kubectl get sa alice -o json | jq -r .secrets[].name) ``` 3. Get ca.crt from secret (using OSX base64 with -D flag for decode) ``` kubectl get secret $secret -o json | jq -r '.data["ca.crt"]' | base64 -D > ca.crt ``` 4. Get service account token from secret ``` user_token=$(kubectl get secret $secret -o json | jq -r '.data["token"]' | base64 -D) ``` 5. Get information from your kubectl config (current-context, server..) ``` # get current context c=`kubectl config current-context` # get cluster name of context name=`kubectl config get-contexts $c | awk '{print $3}' | tail -n 1` # get endpoint of current context endpoint=`kubectl config view -o jsonpath="{.clusters[?(@.name == \"$name\")].cluster.server}"` On a fresh machine, follow these steps (given the ca.cert and $endpoint information retrieved above: ``` 6 . Pre-req: Kubectl 7. Set cluster (run in directory where ca.crt is stored) ``` kubectl config set-cluster cluster-staging \ --embed-certs=true \ --server=$endpoint \ --certificate-authority=./ca.crt ``` 8. Set user credentials ``` kubectl config set-credentials alice-staging --token=$user_token ``` 9. Define the combination of alice user with the staging cluster ``` kubectl config set-context alice-staging \ --cluster=cluster-staging \ --user=alice-staging \ --namespace=alice ``` 10. Switch current-context to alice-staging for the user ``` kubectl config use-context alice-staging ``` 11. To control user access with policies (using ABAC), you need to create a policy file (for example): ```yaml { "apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": { "user": "system:serviceaccount:default:alice", "namespace": "default", "resource": "*", "readonly": true } } ``` 12. Provision this policy.json on every master node and add --authorization-mode=ABAC --authorization-policy-file=/path/to/policy.json flags to API servers -
Apr 24, 2019 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,58 @@ Create service account for user Alice kubectl create sa alice Get related secret secret=$(kubectl get sa alice -o json | jq -r .secrets[].name) Get ca.crt from secret (using OSX base64 with -D flag for decode) kubectl get secret $secret -o json | jq -r '.data["ca.crt"]' | base64 -D > ca.crt Get service account token from secret user_token=$(kubectl get secret $secret -o json | jq -r '.data["token"]' | base64 -D) Get information from your kubectl config (current-context, server..) # get current context c=`kubectl config current-context` # get cluster name of context name=`kubectl config get-contexts $c | awk '{print $3}' | tail -n 1` # get endpoint of current context endpoint=`kubectl config view -o jsonpath="{.clusters[?(@.name == \"$name\")].cluster.server}"` On a fresh machine, follow these steps (given the ca.cert and $endpoint information retrieved above: Install kubectl brew install kubectl Set cluster (run in directory where ca.crt is stored) kubectl config set-cluster cluster-staging \ --embed-certs=true \ --server=$endpoint \ --certificate-authority=./ca.crt Set user credentials kubectl config set-credentials alice-staging --token=$user_token Define the combination of alice user with the staging cluster kubectl config set-context alice-staging \ --cluster=cluster-staging \ --user=alice-staging \ --namespace=alice Switch current-context to alice-staging for the user kubectl config use-context alice-staging To control user access with policies (using ABAC), you need to create a policy file (for example): { "apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": { "user": "system:serviceaccount:default:alice", "namespace": "default", "resource": "*", "readonly": true } } Provision this policy.json on every master node and add --authorization-mode=ABAC --authorization-policy-file=/path/to/policy.json flags to API servers
Mohan P Edala
revised
this gist