Create user in Kubernetes for kubectl Create user in Kubernetes for kubectl kubernetes kubernetes

Create user in Kubernetes for kubectl


json kubernetes kubectl endpoint rbac

As kubernetes docs and Articles uses certificate to create or authenticate users for kubectl client. However there is one easy way to do it by using ServiceAccount. One can use ServiceAccount as a group to provide RBAC control authentication and it is very easy and descriptive. Here are the steps.All the steps i am executing is in default namespace. I am going to create a pod readonly user which can get,list,watch any pod in all namespaces.

  • Create a ServiceAccount, say 'readonlyuser'.

    kubectl create serviceaccount readonlyuser

  • Create cluster role, say 'readonlyuser'.

    kubectl create clusterrole readonlyuser --verb=get --verb=list --verb=watch --resource=pods

  • Create cluster role binding, say 'readonlyuser'.

    kubectl create clusterrolebinding readonlyuser --serviceaccount=default:readonlyuser --clusterrole=readonlyuser

  • Now get the token from secret of ServiceAccount we have created before. we will use this token to authenticate user.

    TOKEN=$(kubectl describe secrets "$(kubectl describe serviceaccount readonlyuser | grep -i Tokens | awk '{print $2}')" | grep token: | awk '{print $2}')

  • Now set the credentials for the user in kube config file. I am using 'vikash' as username.

    kubectl config set-credentials vikash --token=$TOKEN

  • Now Create a Context say podreader. I am using my clustername 'kubernetes' here.

    kubectl config set-context podreader --cluster=kubernetes --user=vikash

  • Finally use the context .

    kubectl config use-context podreader

And that's it. Now one can execute kubectl get pods --all-namespaces. One can also check the access by executing as given:

~ : $ kubectl auth can-i get pods --all-namespacesyes~ : $ kubectl auth can-i create podsno~ : $ kubectl auth can-i delete podsno

json kubernetes kubectl endpoint rbac

In this guide you can find how to configure a user for your cluster: https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/#use-case-1-create-user-with-limited-namespace-access

Long story short:

  • Create certificates for the user
  • Create a certificate sign request
  • Sign the certificate with the cluster certificate authority
  • Create a configuration for your user
  • Add RBAC rules for this user or its group

Regarding the ca.crt, you need to find it in your master host.

Edited: In the case of GKE, check here https://cloud.google.com/container-engine/docs/iam-integration

json kubernetes kubectl endpoint rbac

A little late update for what worked for me.
I needed also to filter out by namespaces, to give developers read-only access to main app resources, but not nodes, secrets, ingress-controllers, ingress or other namespaces.

Modify and apply the follwing YAML:

apiVersion: v1kind: ServiceAccountmetadata:  name: sa-reader  namespace: default---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:  name: reader-crrules:- verbs: ["get", "list", "watch"]  resources:   - namespaces  - services  - endpoints  - pods  - deployments  - configmaps  - jobs  - cronjobs  - daemonsets  - statefulsets  - replicasets  - persistentvolumes  apiGroups: ["","apps","batch"]- verbs: ["create", "delete"]  resources: ["pods"]  apiGroups: [""]---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:  name: read-tuxerrante-pods-rb  namespace: tuxerrantesubjects:- kind: ServiceAccount  name: sa-reader  namespace: defaultroleRef:  kind: ClusterRole  name: reader-cr  apiGroup: rbac.authorization.k8s.io---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:  name: read-tuxerrante-round-pods-rb  namespace: tuxerrante-roundsubjects:- kind: ServiceAccount  name: sa-reader  namespace: defaultroleRef:  kind: ClusterRole  name: reader-cr  apiGroup: rbac.authorization.k8s.io
# THIS WILL APPEND CONFIGURATIONS TO YOUR CURRENT KUBECONFIG$ TOKEN=$(kubectl describe -n default secrets "$(kubectl describe -n default serviceaccount sa-reader | grep -i Tokens | awk '{print $2}')" | grep token: | awk '{print $2}')$ kubectl config set-credentials reader-user --token=$TOKEN$ kubectl config set-context cluster-reader --cluster=cluster-svil --user=reader-user# I PREFER TO COPY THE PREVIOUS NEW CONFIG IN A NEW FILE AND THEN USE IT# $ export KUBECONFIG=~/.kube/tuxerrante-reader.kubeconfig$ kubectl config use-context cluster-reader$ kubectl auth can-i get pods --all-namespaces$ kubectl auth can-i create pods$ kubectl auth can-i delete pods$ kubectl -n tuxerrante get pods

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last