1. Generate certificates for the user.

Following command will generates an Ed25519 private key using OpenSSL.

openssl genpkey -out john.key -algorithm Ed25519

“_Algorithm Ed25519 not found_” If you find this error simply upgrade your openssl.

cat hatim.key

-----BEGIN PRIVATE KEY-----  
MC4CAQAwBQYDK2VwBCIEIBDWF4uAgPnmVQ9meMtjG4cMomoq8qpfyfOZ14Ef8pYq  
-----END PRIVATE KEY-----

After executing this command, OpenSSL will generate an Ed25519(which is a modern elliptic curve cryptography algorithm) private key and save it in the “john.key” file. Keep in mind that it’s crucial to protect this private key since it grants access to sensitive information or operations.

openssl req -new -key john.key -out john.csr -subj "/CN=john,/O=edit"

In this example, the Common Name (CN) is set to “john” and the Organization (O) is set to “edit”.

2. Create a certificate signing request (CSR).

For request we have to obtain the base64-encoded representation of the contents of the “john.csr” file without newline characters. This encoding is often useful for transmitting or storing binary data in a text-based format.

cat hatim.csr | base64 | tr -d "\n"

LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlHZU1GSUNBUUF3SHpFT01Bd0dBMVVFQXd3RmFtOW9iaXd4RFRBTEJnTlZCQW9NQkdWa2FYUXdLakFGQmdNcgpaWEFESVFEbk9nYXEzSEcyMkw1dFROZ0JaQ1lHYkJiSjdXQ05BTmE2aWhsNll0NWFkNkFBTUFVR0F5dGxjQU5CCkFPeVJaZlpKY2c3eE90eHBjUmFqZmlySk9WcVkvaE9CQldneEJubERFek4rbXpJRm12MkU5czNoaXBQZjBOYk8KMkNrR0pNR0NhOXJabStVRHowelhqZ009Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=

Then we will copy a CertificateSigningReques template from k8 docs. Simply copy the output from previous command & replace in .spec.request.

cat <<EOF | kubectl apply -f -  
apiVersion: certificates.k8s.io/v1  
kind: CertificateSigningRequest  
metadata:  
  name: john  
spec:  
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlHZU1GSUNBUUF3SHpFT01Bd0dBMVVFQXd3RmFtOW9iaXd4RFRBTEJnTlZCQW9NQkdWa2FYUXdLakFGQmdNcgpaWEFESVFEbk9nYXEzSEcyMkw1dFROZ0JaQ1lHYkJiSjdXQ05BTmE2aWhsNll0NWFkNkFBTUFVR0F5dGxjQU5CCkFPeVJaZlpKY2c3eE90eHBjUmFqZmlySk9WcVkvaE9CQldneEJubERFek4rbXpJRm12MkU5czNoaXBQZjBOYk8KMkNrR0pNR0NhOXJabStVRHowelhqZ009Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=  
  signerName: kubernetes.io/kube-apiserver-client  
  expirationSeconds: 86400  # one day  
  usages:  
  - client auth  
EOF

certificatesigningrequest.certificates.k8s.io/john created

3. Sign the certificate using the cluster certificate authority.

By executing following command, you authorize the issuance of a certificate associated with the CSR, allowing the user to use the certificate for authentication and access within the Kubernetes cluster.

kubectl certificate approve hatim

certificatesigningrequest.certificates.k8s.io/hatimapproved

We can double check our user (hatim) CSR status.

kubectl describe csr/hatim
Name:         john  
Labels:       <none>  
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"certificates.k8s.io/v1","kind":"CertificateSigningRequest","metadata":{"annotations":{},"name":"john"},"spec":{"expirationSeconds":86400,"request":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlHZU1GSUNBUUF3SHpFT01Bd0dBMVVFQXd3RmFtOW9iaXd4RFRBTEJnTlZCQW9NQkdWa2FYUXdLakFGQmdNcgpaWEFESVFEbk9nYXEzSEcyMkw1dFROZ0JaQ1lHYkJiSjdXQ05BTmE2aWhsNll0NWFkNkFBTUFVR0F5dGxjQU5CCkFPeVJaZlpKY2c3eE90eHBjUmFqZmlySk9WcVkvaE9CQldneEJubERFek4rbXpJRm12MkU5czNoaXBQZjBOYk8KMkNrR0pNR0NhOXJabStVRHowelhqZ009Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=","signerName":"kubernetes.io/kube-apiserver-client","usages":["client auth"]}}

CreationTimestamp:   Wed, 21 Jun 2023 14:28:59 +0000  
Requesting User:     system:admin  
Signer:              kubernetes.io/kube-apiserver-client  
Requested Duration:  24h  
Status:              Approved,Issued  
Subject:  
         Common Name:    john,  
         Serial Number:    
         Organization:   edit  
Events:  <none>

Please note that in production env, you’ll need the appropriate permissions and role-based access control (RBAC) privileges to execute this command successfully. But we’re here for short & quick proto, aren’t we?

4. Create a configuration specific to the user.

kubectl get csr/hatim-o jsonpath="{.status.certificate}" | base64 -d > john.crt


cp ~/.kube/config john-kube-config   #always backup


kubectl config get-clusters

NAME  
default

Now we extracts the certificate from a CertificateSigningRequest (CSR) named “john” using kubectl and jsonpath. The certificate is base64-decoded and saved in a file named "john.crt". Keep in mind that we only have one cluster in this case named default .

**

Add user

** 1

kubectl --kubeconfig hatim-kube-config config set-cluster KSP --server=https://192.168.1.31:6443 --insecure-skip-tls-verify=true
Cluster "KSP" set.

2

kubectl --kubeconfig hatim-kube-config config set-credentials hatim   --client-key hatim.key   --client-certificate hatim.crt   --embed-certs=true
User "hatim" set.

3

kubectl --kubeconfig hatim-kube-config config set-context hatim --cluster KSP --user hatim

5. Add RBAC rules for the user or their group.

Create a Role for John to manage pods in the default namespace:

kubectl create role pod-manager --verb=create,list,get --resource=pods --namespace=default

Bind the Role with a ClusterRoleBinding:

kubectl create clusterrolebinding john-pod-manager — clusterrole=pod-manager — user=hatim

Verify authorization using kubectl auth can-i:

kubectl auth can-i create deployments --namespace=default --as=hatim
no

kubectl auth can-i get pods --namespace=default --as=hatim
yes
Retour à la liste
Copyright © Your Website 2024