├── files ├── etcd-cluster.yaml ├── etcd-operator-rbac.yaml ├── janwillies-view-rbac.yaml ├── janwillies.conf ├── kube-flannel-rbac.yaml ├── kube-flannel.yaml ├── kubelet.service └── testing-admin-rbac.yaml └── readme.md /files/etcd-cluster.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "etcd.coreos.com/v1beta1" 2 | kind: "Cluster" 3 | metadata: 4 | name: "etcd-cluster" 5 | spec: 6 | size: 3 7 | version: "3.1.2" -------------------------------------------------------------------------------- /files/etcd-operator-rbac.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1beta1 2 | kind: ClusterRole 3 | metadata: 4 | name: etcd-operator 5 | rules: 6 | - apiGroups: 7 | - etcd.coreos.com 8 | resources: 9 | - clusters 10 | verbs: 11 | - "*" 12 | - apiGroups: 13 | - extensions 14 | resources: 15 | - thirdpartyresources 16 | verbs: 17 | - create 18 | - apiGroups: 19 | - storage.k8s.io 20 | resources: 21 | - storageclasses 22 | verbs: 23 | - create 24 | - apiGroups: 25 | - "" 26 | resources: 27 | - pods 28 | - services 29 | - endpoints 30 | - persistentvolumeclaims 31 | verbs: 32 | - "*" 33 | - apiGroups: 34 | - extensions 35 | resources: 36 | - replicasets 37 | verbs: 38 | - "*" -------------------------------------------------------------------------------- /files/janwillies-view-rbac.yaml: -------------------------------------------------------------------------------- 1 | kind: RoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1beta1 3 | metadata: 4 | name: janwillies-preprod-view 5 | namespace: preprod # This binding only applies in the "testing" namespace 6 | subjects: 7 | - kind: User # May be "User", "Group" or "ServiceAccount" 8 | name: janwillies 9 | roleRef: 10 | kind: ClusterRole 11 | name: view 12 | apiGroup: rbac.authorization.k8s.io -------------------------------------------------------------------------------- /files/janwillies.conf: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | clusters: 3 | - cluster: 4 | certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFM01ETXhNREF4TWprME9Wb1hEVEkzTURNd09EQXhNamswT1Zvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBSjZzClVPWm00UVlTTjcreCs1eWoyMWJQTlFXaXBCZ2xXYXpxaUIvVkp0ZHNOZmxoOEZUSVY0VkJkZjhncGdNaWVhenUKemM4R2tFc1BNc1FBZmRFT1pIOGZqWVNodkQvVnVNSkNFM24wOUU4STJ2SVFPdytRY0lEMnhNOThjcVRKTVFJWgpHQnZzTVRldjl4WTNKWmlKTDlibU5yZEpaWEVvVmg3eFoxMmNtRUwrdUZyelUyTXVHWnRpOVZxcUt6Wkpuait0CjlLeENDeG9GcXJQdTgxWThqZml5SnpLdHovdk1Zc1RDN1VLeDE1Q01aMEg4cVVQUURmNzFRU1FwelU3OXZzZEUKKzVKbUdQV1BHN2dEbUJVcU9Kd2pUajBTd0h1dVd0MHVqOEVTUVJaamwwbndPcmZqTjJSQWVkanlvRVo2cTFGMwpzSHZobUtxZlprN2NvaTZ0WklVQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFDR29XbGlvdlhiUjd4WWdPa0lMYWRDV3B2R0QKNnlSQkJEc2Yzcm9rcHJyS3JIdjdBRUlxMHVNdWEzdlhjUWN3eElSK24xQUJEc2pnRTh6NU5BMVJQbmp1UlhwSQpFNVVXcEFtZmRxdEhyZ28xOHc2QmJ1dFVKUUcrUXZ2YUJ2RnZMdkJwMElRSGQ4Z3h1aDR3VHFzclV0VHpVTFpKCmpkd2pjOVIxWnhIMCs1bmpZbXZwNzd5aWlVc0NwT2d1ZSsrc2FCbG1rRXFud29TdU95UXpCM2x5YnljemtrY3AKN2tteDdtbDY3TFFnd1VTSkVqU3hBWEpmL0RaLzduaFRPMUN4RlA0c3JleVhjdVJMOVZsMEoxZnU4S2h3UlMwVAora01lZWcrRVcrRC9TN2ZvaXRETzd6d3A0Q004TXFXdXN1L1cyMllhaXZ4c0JaOE1Sc29NdExoRXVMYz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= 5 | server: https://10.7.183.62:6443 6 | name: kubernetes 7 | contexts: 8 | - context: 9 | cluster: kubernetes 10 | namespace: etcd 11 | user: janwillies 12 | name: janwillies@kubernetes 13 | current-context: janwillies@kubernetes 14 | kind: Config 15 | preferences: {} 16 | users: 17 | - name: janwillies 18 | user: 19 | client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN1RENDQWFBQ0NRRDUyS2F4M3U2YUtEQU5CZ2txaGtpRzl3MEJBUXNGQURBVk1STXdFUVlEVlFRREV3cHIKZFdKbGNtNWxkR1Z6TUI0WERURTNNRE14TURFM01EazBOMW9YRFRRME1EY3lOakUzTURrME4xb3dKekVUTUJFRwpBMVVFQXd3S2FtRnVkMmxzYkdsbGN6RVFNQTRHQTFVRUNnd0hkR1Z6ZEdsdVp6Q0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNVHAyeUR1NFMzRVRWejBxWGM1NTFGN0tlWVBhTTBCVmxBUWFnS1oKQWNzV3FVZGM1RUJnYTh0NmRVaVAvQTFEdzduU3NQRE1XNmpYcktKd2pQbmdxQWREbW9udTJWNHZLWWdwTlBzSQp5eVB6RXNlcm5hWGVFRzdoVjM4VXZhdVBnT3lmSEtmR2xKTHQyclZ3RXFZZWhEY2xRMGRycnk2SS9zSVhrWjhnCm1ZaW5oMHlGUWQvTG12QXhvcm05citCWG1LeTBEMkNPcTJZUHVacHVoeHZmWW51N2NUcmMwRUNYQTdKOWU1eFYKeTEvZDJPTlY1YlNLcktEVk5VUjE4QkRuZXFBdnphQTNBOW5QcHppRzBlWEcxeVZmcndvOE1tZ1NwZ1YwanVSawowY2c0RjlFZVRSQWh5eTAwVWFSUlVHWGFQZC80N2pPSk05L2w4REtDTStwNTR2RUNBd0VBQVRBTkJna3Foa2lHCjl3MEJBUXNGQUFPQ0FRRUFVeDJUUXROZ0NYVUlaU1hkYkh5eExMZTk2Z3NvalFTZkgva3ZOOHdTeGVpNDltdFEKR09wMkg0d2NDckNtMDdRTi9sTnY2Q1hiOUNwRmhkT21jVzJqZzYrVDV6bWNwTTd5UzRvVEVSYXdvdmYzcVVjYgpTR2RLZUVPSldIWmxyWHRzME1rQ0xoSW5OL0lpZ1Q1Tm9qZmZnS3BNWE1xVXFaM2RPd2Qzang3WEltL1Nua2NQClkzTEFWM05XU0p2U2hkN3FKcGlmVWRCZkJPa3QwTEZISE5HL1JRLzc4bnhuN0puanZaR01VdVREd3dUZUZ1bzMKUzVva1RHby8yV1l6L3RoU3lmWkRZL3pyNmpnVTFVSkZaYXNoeHVYRjN3WDBMcjhUWUNwanFvSm1ralRVQ1BleQpxZTg4d2kwazhzK1dlSzMwR21PNmxwTkZ6eDA3cXlnMmpaaVRrQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K 20 | client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBeE9uYklPN2hMY1JOWFBTcGR6bm5VWHNwNWc5b3pRRldVQkJxQXBrQnl4YXBSMXprClFHQnJ5M3AxU0kvOERVUER1ZEt3OE14YnFOZXNvbkNNK2VDb0IwT2FpZTdaWGk4cGlDazArd2pMSS9NU3g2dWQKcGQ0UWJ1RlhmeFM5cTQrQTdKOGNwOGFVa3UzYXRYQVNwaDZFTnlWRFIydXZMb2ord2hlUm55Q1ppS2VIVElWQgozOHVhOERHaXViMnY0RmVZckxRUFlJNnJaZys1bW02SEc5OWllN3R4T3R6UVFKY0RzbjE3bkZYTFg5M1k0MVhsCnRJcXNvTlUxUkhYd0VPZDZvQy9Ob0RjRDJjK25PSWJSNWNiWEpWK3ZDand5YUJLbUJYU081R1RSeURnWDBSNU4KRUNITExUUlJwRkZRWmRvOTMvanVNNGt6MytYd01vSXo2bm5pOFFJREFRQUJBb0lCQUdMSjdDeU9pNXY1WXRLaQowQzVIZDN5U2JNZkZyVTlFUDNnMWMrblB0MjJhOWR3ZWgwaWcxeE9qWVJuQldyT1E3cTNZUFByaG00Nk9mVWFWCmJyU2g5OHFGS1EvUUsyOHIvQXNhbVVEai9YNFFvYmhZcWVPZ0QrQ0Ezdk9iaFRoLzZ5OUsrQVpZQXd2ZmxwejIKRi9VTlZFbVNRVG1nbGFla0JTTjh6WXJtd1FBa0l0Y29Lalk5bDlBOENDYWhDbzBPTkN2bzRINGlsQTROaW50dwpvanFNZGxhZFZlcE9nV0l3QkRkRGVkVjhvYnVBRVp2bEQ1UTVxaXF3UzVIczUyd3M4YlB6c2JWNWlHdlYzTXVCCk1tYUQ1ek5PT1ZlZEtheENwd2RZM2kwNzBmYXFnZEdlLzd2cTI3QlVheUJndm5zN1RKTWEyWjJHMDdWaW5sWUgKWWwyZnFVMENnWUVBNCtmR1RQRmRxSU9xb044anVkSHg0dnJzWWRZTytvbjFJeWorMzIyQ2JIM2gyWVRSdm9BNApGNW1yb0lqUW1XMUVmY0dneEhJTEtybkVKZnl0NkVkUWFNeFRKNm9FRWEydVRVdHEyWnJ3aVExblRCdnJEVkIxCmQ0UlVtdlYrSzJIdXRLNmNuMG5SY0RTNGM0S2pVQUhuOVY0K2NMT1I3bWIxZllOOHdFVlhaaE1DZ1lFQTNUQUsKcG8yV1VVNlhSdmxXNjlVUjZlaEdVdWtSaWdDSnpPNDVOWTcyenMydUJIQjRqMndCU0g0aW5ObU9oMm80QlZJeAp2ai9KWHhDU0pOS29wazMzaW1tQUZ1ZnEyT2RPZDRxeFZQVU9Ga255TXdBMG4wRFV5YlNKazBxQk4vY1U0YkovCkxUdnpLSlBPOVNvYzhuWVRBSVZZZ1FnbVNqcGtDUUZlbVl4QUEyc0NnWUVBaCtJeWJyL2VpdEh1VXpxWUQzdm8KejkreVB1Y2xTU1ltUGM5OG4zU290YzBjY3RmcFFyOHFNcEFTTDRaRGNhY2ZsaWR6bG8wMHNVWFBlS0srZ2VhNwpQN0RMeDdOcjk2cHBhWGFVLzZlTTBQcG40NDRseUd0M2prb2RNOE01ZGQ1UE4vV0FOczBKamZBeEpkWDNUNFhECmFwM0ZkdWJxRkkzWXd2dzV6bDNKclhjQ2dZQVBxUGNZRTY0dzAzK2lac1RnclpVM0dscmdRK0FhQlMrOGNxRmEKU1dUdi8xL3lzSVBZbzZ6emxQcWVZRWpYRFk0cDBrZnpVRkRSaWpyT29KdVFLclQ3OTd3NTR2R2RxY0xFYysxYQpObjlvMUpOeFNQSncxQVk4d2F0NzRpcUQ2OXB1b0ZTZ3Z6M1lBWjhGZkpYUUZNd0RuVzFHdFcwQWxHSEF3WGdSCkp2emhRUUtCZ1FDQWM0N0k2RkVzZEdLaUc0OXRrT05qMTNtNGR3d3BjTm9nRVBVZjI3SGRVdWZCUWhSYzFGWFQKTi9na3ZTMTR5UWdRVExUeDJOUFZ3R29rTkxxVElJVjlQZzZWWGRpNGlBNEhxeDZHbEVXUmVodE1ua2dNRXRQWApaVTRzQUNUQzlvZkJCQ2hoM0M2TEh3R2ExMENVcG96WlJQSytod3R5YjNsRUFTWEZrUDd1dGc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= -------------------------------------------------------------------------------- /files/kube-flannel-rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: ClusterRole 3 | apiVersion: rbac.authorization.k8s.io/v1beta1 4 | metadata: 5 | name: flannel 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resources: 10 | - pods 11 | verbs: 12 | - get 13 | - apiGroups: 14 | - "" 15 | resources: 16 | - nodes 17 | verbs: 18 | - list 19 | - update 20 | - watch -------------------------------------------------------------------------------- /files/kube-flannel.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: flannel 6 | --- 7 | kind: ConfigMap 8 | apiVersion: v1 9 | metadata: 10 | name: kube-flannel-cfg 11 | labels: 12 | tier: node 13 | app: flannel 14 | data: 15 | cni-conf.json: | 16 | { 17 | "name": "cbr0", 18 | "type": "flannel", 19 | "delegate": { 20 | "isDefaultGateway": true 21 | } 22 | } 23 | net-conf.json: | 24 | { 25 | "Network": "10.244.0.0/16", 26 | "Backend": { 27 | "Type": "vxlan" 28 | } 29 | } 30 | --- 31 | apiVersion: extensions/v1beta1 32 | kind: DaemonSet 33 | metadata: 34 | name: kube-flannel-ds 35 | labels: 36 | tier: node 37 | app: flannel 38 | spec: 39 | template: 40 | metadata: 41 | labels: 42 | tier: node 43 | app: flannel 44 | spec: 45 | hostNetwork: true 46 | nodeSelector: 47 | beta.kubernetes.io/arch: amd64 48 | serviceAccountName: flannel 49 | containers: 50 | - name: kube-flannel 51 | image: quay.io/coreos/flannel:v0.7.0-amd64 52 | command: [ "/opt/bin/flanneld", "--ip-masq", "--kube-subnet-mgr" ] 53 | securityContext: 54 | privileged: true 55 | env: 56 | - name: POD_NAME 57 | valueFrom: 58 | fieldRef: 59 | fieldPath: metadata.name 60 | - name: POD_NAMESPACE 61 | valueFrom: 62 | fieldRef: 63 | fieldPath: metadata.namespace 64 | volumeMounts: 65 | - name: run 66 | mountPath: /run 67 | - name: flannel-cfg 68 | mountPath: /etc/kube-flannel/ 69 | - name: install-cni 70 | image: quay.io/coreos/flannel:v0.7.0-amd64 71 | command: [ "/bin/sh", "-c", "set -e -x; cp -f /etc/kube-flannel/cni-conf.json /etc/cni/net.d/10-flannel.conf; while true; do sleep 3600; done" ] 72 | volumeMounts: 73 | - name: cni 74 | mountPath: /etc/cni/net.d 75 | - name: flannel-cfg 76 | mountPath: /etc/kube-flannel/ 77 | volumes: 78 | - name: run 79 | hostPath: 80 | path: /run 81 | - name: cni 82 | hostPath: 83 | path: /etc/cni/net.d 84 | - name: flannel-cfg 85 | configMap: 86 | name: kube-flannel-cfg -------------------------------------------------------------------------------- /files/kubelet.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=kubelet: The Kubernetes Node Agent 3 | Documentation=http://kubernetes.io/docs/ 4 | 5 | [Service] 6 | Environment="KUBELET_KUBECONFIG_ARGS=--kubeconfig=/etc/kubernetes/kubelet.conf --require-kubeconfig=true" 7 | Environment="KUBELET_SYSTEM_PODS_ARGS=--pod-manifest-path=/etc/kubernetes/manifests --allow-privileged=true" 8 | Environment="KUBELET_NETWORK_ARGS=--network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin" 9 | Environment="KUBELET_DNS_ARGS=--cluster-dns=10.96.0.10 --cluster-domain=cluster.local" 10 | ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_SYSTEM_PODS_ARGS $KUBELET_NETWORK_ARGS $KUBELET_DNS_ARGS $KUBELET_EXTRA_ARGS 11 | Restart=always 12 | StartLimitInterval=0 13 | RestartSec=10 14 | 15 | [Install] 16 | WantedBy=multi-user.target -------------------------------------------------------------------------------- /files/testing-admin-rbac.yaml: -------------------------------------------------------------------------------- 1 | kind: RoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1beta1 3 | metadata: 4 | name: testing-edit 5 | namespace: testing # This binding only applies in the "testing" namespace 6 | subjects: 7 | - kind: Group # May be "User", "Group" or "ServiceAccount" 8 | name: testing 9 | roleRef: 10 | kind: ClusterRole 11 | name: edit 12 | apiGroup: rbac.authorization.k8s.io -------------------------------------------------------------------------------- /readme.md: -------------------------------------------------------------------------------- 1 | # How to bring up an RBAC cluster 2 | We will bootstrap a Kubernetes cluster with RBAC permissions and demonstrate different types of permissions (single user and group). 3 | 4 | ## Bootstrap Kubernetes 5 | 6 | We will use `kubeadm` since it's the easiest way to bring up a cluster with rbac. Fortunately for us SIG-Cluster-Lifecycle and SIG-Auth were hard at work and `kubeadm` enables rbac per default and even comes up with a default set of rbac-roles already! 7 | 8 | Until Kubernetes-1.6 is out, make sure you have the following 9 | - [Kubernetes-v1.6.0-beta.3](https://dl.k8s.io/v1.6.0-beta.3/kubernetes-server-linux-amd64.tar.gz) 10 | - [kubelet.service](files/kubelet.service) from `files/` 11 | 12 | `wget` and `untar` Kubernetes, then copy `kubeadm` to `/usr/bin/`. Copy `files/kubelet.service` to `/etc/systemd/system/` and reload systemd with `systemctl daemon-reload`. 13 | 14 | ### Master 15 | ``` 16 | kubeadm init --pod-network-cidr=10.244.0.0/16 17 | ``` 18 | Note that `10.244.0.0/16` is the default CIDR of flannel, which we will use the overlay network later. If you want to change that, make sure to change flannel as well. 19 | ### Worker 20 | scp `files/kubelet.service` to the node and reload systemd with `systemctl daemon-reload`. Then run `kubeadm` with the output from above, e.g. 21 | ``` 22 | kubeadm join --token fb33d6.9ed5211dbd29a876 10.7.183.62:6443 23 | ``` 24 | 25 | ### Checkpoint 26 | Let's check if everything came up correctly, especially the `rbac` related things. On the master: 27 | ``` 28 | $ export KUBECONFIG=/etc/kubernetes/admin.conf 29 | 30 | $ kubectl get node -o wide 31 | NAME STATUS AGE VERSION EXTERNAL-IP OS-IMAGE KERNEL-VERSION 32 | mt02db07 Ready 14h v1.6.0-beta.2 Ubuntu 16.04.2 LTS 4.9.13-040913-generic 33 | mt02db08 Ready 14h v1.6.0-beta.2 Ubuntu 16.04.2 LTS 4.9.13-040913-generic 34 | 35 | $ kubectl get clusterrole 36 | NAME AGE 37 | admin 14h 38 | cluster-admin 14h 39 | edit 14h 40 | system:auth-delegator 14h 41 | system:basic-user 14h 42 | system:controller:attachdetach-controller 14h 43 | system:controller:certificate-controller 14h 44 | system:controller:cronjob-controller 14h 45 | [...] 46 | ``` 47 | For more info about the different roles, have a look at the [RBAC-docs](https://kubernetes-io-vnext-staging.netlify.com/docs/admin/authorization/rbac/). 48 | Looks good, let's continue with creating the supporting infrastructure 49 | ### Network 50 | Create the appropriate `serviceaccount` and `ClusterRole`, then deploy flannel: 51 | ``` 52 | kubectl create -f files/kube-flannel-rbac.yml 53 | kubectl create clusterrolebinding flannel --clusterrole=flannel --serviceaccount=kube-system:flannel 54 | kubectl create --namespace kube-system -f files/kube-flannel.yml 55 | ``` 56 | 57 | ### Tiller 58 | Tiller itself runs with a full access to cluster. But any API call to Tiller via users will use those users authZ level. The latter feature is currently targeted for `helm-v2.3.0` ([relevant PR](https://github.com/kubernetes/helm/pull/1932)) 59 | ``` 60 | kubectl create serviceaccount tiller --namespace=kube-system 61 | kubectl create clusterrolebinding tiller --clusterrole=cluster-admin --serviceaccount=kube-system:tiller 62 | helm init 63 | ``` 64 | make tiller use the `serviceaccount`: 65 | ``` 66 | kubectl --namespace=kube-system edit deployment tiller-deploy 67 | ``` 68 | add `serviceAccount: tiller` to the `spec`-section, e.g.: 69 | 70 | ``` 71 | spec: 72 | template: 73 | spec: 74 | [...] 75 | restartPolicy: Always 76 | serviceAccount: tiller 77 | schedulerName: default-scheduler 78 | [...] 79 | ``` 80 | 81 | Tiller should restart and have access to all namespaces. Check with `helm ls`, it shouldn't error anymore. 82 | 83 | ### Deploy an etcd-cluster 84 | This will be used for testing later 85 | ``` 86 | helm install stable/etcd-operator --namespace=testing --name=etcd-operator 87 | ``` 88 | Create the necessary `rbac`-rules 89 | ``` 90 | kubectl create -f files/etcd-operator-rbac.yaml 91 | kubectl --namespace=testing create serviceaccount etcd-operator 92 | kubectl create clusterrolebinding etcd-operator --clusterrole=etcd-operator --serviceaccount=testing:etcd-operator 93 | kubectl --namespace=testing edit deployment etcd-operator 94 | ``` 95 | Add `serviceAccount: etcd-operator` to the spec: 96 | ``` 97 | spec: 98 | template: 99 | spec: 100 | [...] 101 | restartPolicy: Always 102 | serviceAccount: etcd-operator 103 | schedulerName: default-scheduler 104 | ``` 105 | Let the `etcd-operator` create an actual etcd cluster: 106 | ``` 107 | kubectl --namespace=testing create -f files/etcd-cluster.yaml 108 | ``` 109 | 110 | ## Add users 111 | Let's pretend I'm a new user joing the `testing` team. I would need to authenticate myself to the cluster. For the sake of the demo we will use a client cert instead of some of the more advanced methods (e.g. `OIDC`). 112 | ### generate client cert 113 | The admin will use openssl to generate a client csr and approve it with the cluster ca. 114 | ``` 115 | cd /etc/kubernetes/pki 116 | openssl genrsa -out janwillies.key 2048 117 | openssl req -new -key janwillies.key -out janwillies.csr -subj "/CN=janwillies/O=testing/O=preprod" 118 | openssl x509 -req -in janwillies.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out janwillies.crt -days 10000 119 | openssl genrsa -out aricrenzo.key 2048 120 | openssl req -new -key aricrenzo.key -out aricrenzo.csr -subj "/CN=aricrenzo/O=testing" 121 | openssl x509 -req -in aricrenzo.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out aricrenzo.crt -days 10000 122 | ``` 123 | ### kubeconfig 124 | prepare the `kubeconfig` file which we named `janwillies.conf`: 125 | ``` 126 | base64 -w0 janwillies.crt && echo 127 | base64 -w0 janwillies.key && echo 128 | ``` 129 | replace `client-certificate-data` and `client-key-data` in `files/janwillies.conf` with the output from above 130 | 131 | ### test 132 | ``` 133 | $ export KUBECONFIG=~/janwillies.conf 134 | 135 | $ kubectl get pods 136 | Error from server (Forbidden): User "janwillies" cannot list pods in the namespace "etcd". (get pods) 137 | ``` 138 | oh no! 139 | 140 | ## Permissions 141 | The `cluster-admin` has to grant access by creating the appropriate `RoleBinding` first: 142 | ``` 143 | kubectl create -f files/testing-admin-rbac.yaml 144 | ``` 145 | Notice the `kind: Group` in the file, this means we will grant access to the whole `testing`-team instead of managing roles individually. 146 | 147 | Switch back to the user and test again: 148 | 149 | ``` 150 | $ kubectl get pods 151 | NAME READY STATUS RESTARTS AGE 152 | volted-dachshund-etcd-op-1967454838-jr8pb 1/1 Running 0 2h 153 | ``` 154 | 155 | ## cleanup 156 | ``` 157 | sudo su - 158 | systemctl stop kubelet 159 | docker rm -f $(docker ps -a -q) 160 | rm -rf /etc/kubernetes 161 | umount /var/lib/kubelet/pods/*/*/*/* 162 | rm -rf /var/lib/kubelet 163 | rm -rf /var/lib/etcd/ 164 | ip addr flush dev cni0 165 | ip addr flush dev flannel.1 166 | exit 167 | ``` 168 | 169 | ## Resources 170 | - https://kubernetes-io-vnext-staging.netlify.com/docs/admin/authorization/rbac/ 171 | - https://kubernetes.io/docs/admin/authentication/ 172 | - https://github.com/kubernetes/helm/pull/1932 173 | 174 | ## Notes 175 | show `kubelet` logs since last restart of service 176 | ``` 177 | systemctl show -p ActiveEnterTimestamp kubelet 178 | journalctl -u kubelet --since 2017-03-0823:47:11 179 | ``` 180 | or directly 181 | ``` 182 | journalctl -u kubelet --since "$(systemctl show -p ActiveEnterTimestamp kubelet | awk '{print $2 $3}')" 183 | ``` --------------------------------------------------------------------------------