Skip to content

Create User | Kubernetes

Create Restricted User

Bash
#!/bin/bash

openssl genrsa -out devops.key 2048

openssl req -new -key devops.key -out devops.csr -subj "/CN=devops/O=devops"

cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: devops
spec:
  groups:
  - system:authenticated
  request: $(cat devops.csr | base64 | tr -d '\n')
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - client auth
EOF

# Check if user is approved
# kubectl get csr

kubectl certificate approve devops

kubectl get csr devops -o jsonpath='{.status.certificate}'  | base64 -d > devops.crt

cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: devops-role
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
EOF

cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: devops-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: devops-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: devops
EOF

kubectl config set-credentials devops --client-key=devops.key --client-certificate=devops.crt --embed-certs=true

kubectl config set-context devops --cluster=default --user=devops