$ bash make-k8s-user.sh USER
Last active
August 27, 2020 04:38
-
-
Save hideojoho/3b7683164538d8081350159106ac5917 to your computer and use it in GitHub Desktop.
How to create a k8s user and assign a namespace
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # | |
| # make-k8s-user.sh | |
| # | |
| # Source: https://www.openlogic.com/blog/granting-user-access-your-kubernetes-cluster | |
| # | |
| if [ -z "$1" ] | |
| then | |
| echo "Usage: bash $0 USER" | |
| exit; | |
| fi | |
| USER=$1 | |
| echo "Creating a k8s user account: $USER" | |
| echo "Creating a user folder" | |
| if [ ! -d ./$USER ] | |
| then | |
| mkdir -p ./$USER | |
| else | |
| echo "Aborted: Folder ./$USER exists. Remove it and re-run the script." | |
| exit; | |
| fi | |
| echo "Creating certificate" | |
| cd $USER && openssl req -new -newkey rsa:4096 -nodes -keyout $USER-k8s.key -out $USER-k8s.csr -subj "/CN=$USER/O=devops" | |
| KEY=`cat $USER-k8s.csr | base64 | tr -d '\n'` | |
| cat <<EOF >$USER-k8s-csr.yaml | |
| apiVersion: certificates.k8s.io/v1beta1 | |
| kind: CertificateSigningRequest | |
| metadata: | |
| name: $USER-k8s-access | |
| spec: | |
| groups: | |
| - system:authenticated | |
| request: $KEY | |
| usages: | |
| - client auth | |
| EOF | |
| echo "Deleting an existing certificate if any. Might produce an error message when it doesn't exist." | |
| kubectl delete -f $USER-k8s-csr.yaml | |
| kubectl create -f $USER-k8s-csr.yaml | |
| echo "Approving the certificate" | |
| kubectl certificate approve $USER-k8s-access | |
| kubectl get csr | |
| echo "Creating an access key" | |
| kubectl get csr $USER-k8s-access -o jsonpath='{.status.certificate}' | base64 --decode > $USER-k8s-access.crt | |
| echo -n "Checking if the cluster certificate is available... " | |
| cd .. | |
| if [ ! -f k8s-ca.crt ] | |
| then | |
| echo "Not available. Creating ..." | |
| kubectl config view -o jsonpath='{.clusters[0].cluster.certificate-authority-data}' --raw | base64 --decode - > k8s-ca.crt | |
| else | |
| echo "Available." | |
| fi | |
| cd $USER | |
| echo "Creating kubectl config" | |
| kubectl config set-cluster $(kubectl config view -o jsonpath='{.clusters[0].name}') --server=$(kubectl config view -o jsonpath='{.clusters[0].cluster.server}') --certificate-authority=../k8s-ca.crt --kubeconfig=$USER-k8s-config --embed-certs | |
| kubectl config set-credentials $USER --client-certificate=$USER-k8s-access.crt --client-key=$USER-k8s.key --embed-certs --kubeconfig=$USER-k8s-config | |
| kubectl config set-context $USER --cluster=$(kubectl config view -o jsonpath='{.clusters[0].name}') --namespace=$USER --user=$USER --kubeconfig=$USER-k8s-config | |
| echo "Creating a namespace. Might produce error messages when it already exists." | |
| kubectl create ns $USER | |
| kubectl label ns $USER user=$USER env=sandbox | |
| echo "Assigning a role to the user" | |
| kubectl config use-context $USER --kubeconfig=$USER-k8s-config | |
| kubectl create rolebinding $USER-admin --namespace=$USER --clusterrole=admin --user=$USER | |
| echo "Almost there... Checking the scope" | |
| echo "This should be forbidden: kubectl get pods -A --kubeconfig=$USER-k8s-config" | |
| kubectl get pods -A --kubeconfig=$USER-k8s-config | |
| echo "This should be allowed (but no resource will be found): kubectl get pods --kubeconfig=$USER-k8s-config" | |
| kubectl get pods --kubeconfig=$USER-k8s-config | |
| echo "Done." | |
| echo "" | |
| echo "Run the following command to revoke the user access to the cluster" | |
| echo " kubectl delete rolebinding $USER-admin --kubeconfig=$USER/$USER-k8s-config" | |
| echo "" | |
| echo "You can also run the following command to remove everything under the namespace: $USER" | |
| echo " kubectl delete ns $USER" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment