Menu
I need to create users to assign them permissions with RBAC, I create them as follows:
echo -n "lucia" | base64
bHVjaWE=
echo -n "pass" | base64
cGFzcw==
apiVersion: v1
kind: Secret
metadata:
name: lucia-secret
type: Opaque
data:
username: bHVjaWE=
password: cGFzcw==
Or create with:
kubectl create secret generic lucia-secret --from-literal=username='lucia',password='pass'
I don't know how to continue
USER_NICK=lucia
kubectl config set-credentials $USER_NICK \
--username=lucia \
--password=pass
kubectl get secret lucia-secret -o json | jq -r '.data["ca.crt"]' | base64 -d > ca.crt
endpoint=`kubectl config view -o jsonpath="{.clusters[?(@.name == \"$name\")].cluster.server}"`
kubectl config set-cluster cluster-for-lucia \
--embed-certs=true \
--server=$endpoint \
--certificate-authority=./ca.crt
kubectl config set-context context-lucia \
--cluster=cluster-for-lucia \
--user=$USER_NICK \
--namespace=default
ca.crt is null
Thank you for your help!
789
Users in KubernetesAll Kubernetes clusters have two categories of users: service accounts managed by Kubernetes, and normal users. It is assumed that a cluster-independent service manages normal users in the following ways: an administrator distributing private keys. a user store like Keystone or Google Accounts.
Creating Kubernetes Users and GroupsYou need access to the folllwing files on kubernetes master. Once signed, . csr files with added signatures become the certificates that could be used to authenticate. copy over the CA certs and keys to your management node and use it to sign.
Kubernetes doesn't manage users. Normal users are assumed to be managed by an outside, independent service like LDAP or Active Directory. In a standard installation of Kubernetes (i.e., using kubeadm), authentication is done via standard transport level security (TLS) certificates.
As kubernetes docs and Articles uses certificate to create or authenticate users for kubectl client. However there is one easy way to do it by using ServiceAccount. One can use ServiceAccount as a group to provide RBAC control authentication and it is very easy and descriptive. Here are the steps.
All the steps i am executing is in default namespace. I am going to create a pod readonly user which can get,list,watch any pod in all namespaces.
Create a ServiceAccount, say 'readonlyuser'.
kubectl create serviceaccount readonlyuser
Create cluster role, say 'readonlyuser'.
kubectl create clusterrole readonlyuser --verb=get --verb=list --verb=watch --resource=pods
Create cluster role binding, say 'readonlyuser'.
kubectl create clusterrolebinding readonlyuser --serviceaccount=default:readonlyuser --clusterrole=readonlyuser
Now get the token from secret of ServiceAccount we have created before. we will use this token to authenticate user.
TOKEN=$(kubectl describe secrets "$(kubectl describe serviceaccount readonlyuser | grep -i Tokens | awk '{print $2}')" | grep token: | awk '{print $2}')
Now set the credentials for the user in kube config file. I am using 'vikash' as username.
kubectl config set-credentials vikash --token=$TOKEN
Now Create a Context say podreader. I am using my clustername 'kubernetes' here.
kubectl config set-context podreader --cluster=kubernetes --user=vikash
Finally use the context .
kubectl config use-context podreader
And that's it. Now one can execute kubectl get pods --all-namespaces. One can also check the access by executing as given:
~ : $ kubectl auth can-i get pods --all-namespaces
yes
~ : $ kubectl auth can-i create pods
no
~ : $ kubectl auth can-i delete pods
no
In this guide you can find how to configure a user for your cluster: https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/#use-case-1-create-user-with-limited-namespace-access
Long story short:
Regarding the ca.crt, you need to find it in your master host.
Edited: In the case of GKE, check here https://cloud.google.com/container-engine/docs/iam-integration
22
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
