Last active
August 4, 2023 23:56
-
-
Save ncrmro/b3b2639fd9c73affd8ea4980555ecadf to your computer and use it in GitHub Desktop.
Generate Kubernetes KUBECONFIG with user that can only access a single namespace.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # https://computingforgeeks.com/restrict-kubernetes-service-account-users-to-a-namespace-with-rbac/?expand_article=1 | |
| # If you want to expose a diffrent port rather than 6443 we can port forward using UFW | |
| # ufw route allow to 0.0.0.0 port 6443 from 0.0.0.0 port 42544 | |
| # sudo iptables -A PREROUTING -t nat -i enp1s0 -p tcp --dport 44394 -j REDIRECT --to-port 6443 | |
| export NAMESPACE=nextjs-sqlite | |
| export K8S_USER="github-actions" | |
| cat <<EOF | kubectl apply -f - | |
| apiVersion: v1 | |
| kind: Namespace | |
| metadata: | |
| name: ${NAMESPACE} | |
| EOF | |
| cat <<EOF | kubectl apply -f - | |
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: ${K8S_USER} | |
| namespace: ${NAMESPACE} | |
| EOF | |
| cat <<EOF | kubectl apply -f - | |
| kind: Role | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: admin | |
| namespace: ${NAMESPACE} | |
| rules: | |
| - apiGroups: ["", "extensions", "apps"] | |
| resources: ["*"] | |
| verbs: ["*"] | |
| - apiGroups: ["batch"] | |
| resources: | |
| - jobs | |
| - cronjobs | |
| verbs: ["*"] | |
| EOF | |
| cat <<EOF | kubectl apply -f - | |
| kind: RoleBinding | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: ${K8S_USER}-admin | |
| namespace: ${NAMESPACE} | |
| subjects: | |
| - kind: ServiceAccount | |
| name: ${K8S_USER} | |
| namespace: ${NAMESPACE} | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: Role | |
| name: admin | |
| EOF | |
| cat <<EOF | kubectl create -f - | |
| apiVersion: v1 | |
| type: kubernetes.io/service-account-token | |
| kind: Secret | |
| metadata: | |
| name: ${NAMESPACE}-${K8S_USER}-token | |
| namespace: ${NAMESPACE} | |
| annotations: | |
| kubernetes.io/service-account.name: ${K8S_USER} | |
| EOF | |
| TOKEN=$(kubectl --namespace ${NAMESPACE} describe secret $(kubectl -n ${NAMESPACE} get secret | (grep ${K8S_USER} || echo "$_") | awk '{print $1}') | grep token: | awk '{print $2}'\n) | |
| CLUSTER_CA=$(kubectl --namespace ${NAMESPACE} get secret `kubectl -n ${NAMESPACE} get secret | (grep ${K8S_USER} || echo "$_") | awk '{print $1}'` -o "jsonpath={.data['ca\.crt']}") | |
| cat <<EOF > ${NAMESPACE}-${K8S_USER}-kube-config.yaml | |
| apiVersion: v1 | |
| clusters: | |
| - cluster: | |
| certificate-authority-data: ${CLUSTER_CA} | |
| server: https://my-cluster:6443 | |
| name: cluster | |
| contexts: | |
| - context: | |
| cluster: cluster | |
| namespace: ${NAMESPACE} | |
| user: ${K8S_USER} | |
| name: cluster | |
| current-context: cluster | |
| kind: Config | |
| preferences: {} | |
| users: | |
| - name: ${K8S_USER} | |
| user: | |
| token: ${TOKEN} | |
| EOF | |
| echo "This command should pass" | |
| KUBECONFIG=${NAMESPACE}-${K8S_USER}-kube-config.yaml kubectl --namespace ${NAMESPACE} get pods | |
| echo "This command should fail" | |
| KUBECONFIG=${NAMESPACE}-${K8S_USER}-kube-config.yaml kubectl --namespace kube-system get pods |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment