Create User | Kubernetes
Create Restricted User
Bash
#!/bin/bash
openssl genrsa -out devops.key 2048
openssl req -new -key devops.key -out devops.csr -subj "/CN=devops/O=devops"
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: devops
spec:
groups:
- system:authenticated
request: $(cat devops.csr | base64 | tr -d '\n')
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
EOF
# Check if user is approved
# kubectl get csr
kubectl certificate approve devops
kubectl get csr devops -o jsonpath='{.status.certificate}' | base64 -d > devops.crt
cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: devops-role
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
EOF
cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: devops-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: devops-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: devops
EOF
kubectl config set-credentials devops --client-key=devops.key --client-certificate=devops.crt --embed-certs=true
kubectl config set-context devops --cluster=default --user=devops