-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathcreateNamespaceRestrictedUser
More file actions
executable file
·89 lines (78 loc) · 2.59 KB
/
Copy pathcreateNamespaceRestrictedUser
File metadata and controls
executable file
·89 lines (78 loc) · 2.59 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
#!/usr/bin/env bash
cat <<EOF > restricted-namespace-user-1.csr.cnf
[ req ]
default_bits = 4096
prompt = no
default_md = sha256
distinguished_name = dn
[ dn ]
CN = restricted-namespace-user-1
O = restricted-namespace-full-admin
EOF
openssl genrsa -out restricted-namespace-user-1.key 4096
openssl req -config restricted-namespace-user-1.csr.cnf -new -key restricted-namespace-user-1.key -out restricted-namespace-user-1.csr
CSR=$(cat restricted-namespace-user-1.csr | base64 | tr -d '\n')
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: restricted-namespace-user-1
spec:
request: ${CSR}
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
EOF
kubectl certificate approve restricted-namespace-user-1
kubectl get csr restricted-namespace-user-1 -o jsonpath='{.status.certificate}' | base64 --decode > restricted-namespace-user-1.crt
# Sanity check here:
if ! diff <(openssl rsa -noout -modulus -in restricted-namespace-user-1.key | openssl md5) <(openssl x509 -noout -modulus -in restricted-namespace-user-1.crt | openssl md5); then
echo "!!!!!!!!!!!!!!!!!!!! ERROR !!!!!!!!!!!!!!!!!!!!!!!!!!!!"
echo "The public and private key modulus don't match!"
echo "You would get 'error: tls: private key does not match public key'"
echo "if you tried using these for authentication."
exit 1
fi
kubectl config set-credentials restricted-namespace-user-1 --client-key=restricted-namespace-user-1.key --client-certificate=restricted-namespace-user-1.crt --embed-certs=true
cat <<EOF | kubectl apply -f -
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: restricted-namespace-full-admin
namespace: restricted-namespace
rules:
- apiGroups: ["", "extensions", "apps", "rbac.authorization.k8s.io"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["batch"]
resources:
- jobs
- cronjobs
verbs: ["*"]
EOF
cat <<EOF | kubectl apply -f -
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: restricted-namespace
name: restricted-namespace-deployment-admin
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["deployments", "replicasets", "pods", "services", "ingresses"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
EOF
cat <<EOF | kubectl apply -f -
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: admin-view
namespace: restricted-namespace
subjects:
- kind: User
name: restricted-namespace-user-1
namespace: restricted-namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: restricted-namespace-full-admin
EOF