Kubernetes: Manage Access via Certificates

Google Cloud-Based Kubernetes RBAC

Let’s gonna starts

kubectl create namespace qa-team
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: qa-team
name: qa-pod
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list", "create"]
subjects:
- kind: User
name: handsomeqateamlead@kloia.com
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pod-reader-binding
namespace: qa-pod
subjects:
- kind: User
name: handsomeqateamlead@kloia.comroleRef:
kind: Role
name: qa-pod
apiGroup: rbac.authorization.k8s.io
gcloud container clusters get-credentials $CLUSTER_ID — zone $ZONE
-project $GCLOUD_PROJECT
$ kubectl get nsError from server (Forbidden): namespaces is forbidden: User "handsomeqateamlead@team.com" cannot list namespaces at the cluster scope: Required "container.namespaces.list" permission.$ kubectl get poError from server (Forbidden): pods is forbidden: User "handsomeqateamlead@team.com" cannot list pods in the namespace "default": Required "container.pods.list" permission.
$ kubectl get po -n qa-team
NAME READY STATUS RESTARTS AGE
selenium-0 1/1 Running 0 10d

What is Kops?

  • Kops is a tool for automating kubernetes installation to your cloud environment. Let’s gonna start.
  • Kops always hold the state in an S3 bucket, these bucket is containing certification, credentials .. etc for your kubernetes cluster.
  • Kops is a cli tool, not a managed kubernetes Paas serviced by your cloud providers. So that, you have the responsibility of your kubernetes cluster at platform and infrastructure level ( not hardware )
export KOPS_STATE_STORE=s3://delikanlilar-cluster
aws s3 cp s3://$KOPS_STATE_STORE/$CLUSTERNAME/pki/private/ca/$KEY 
ca.key
aws s3 cp s3://$KOPS_STATE_STORE/$CLUSTERNAME/pki/issued/ca/$CERT ca.crt
$ openssl genrsa -out user.key 4096$ openssl req -new -key qa.key -out qa.csr -subj '/CN=qa-user-1/O=qa'$ openssl x509 -req -in qa.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out qa.crt -days 365
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
namespace: qa-team
name: qa-team-pod-listrules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get","list"]---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: qa-team-role-binding
subjects:
- kind: User
name: qa-user-1
roleRef:
kind: Role
name: qa-team-pod-list
apiGroup: rbac.authorization.k8s.io
kubectl config set-cluster <CLUSTER_NAME> --server=https://<URL>kubectl config set-cluster <CLUSTER_NAME> --certificate-authority=ca.crtkubectl config set-credentials viewer --client-key=user_viewer.key --client-certificate=qa.crt

kubectl config set-context <CLUSTER_NAME> --user=viewer --cluster <CLUSTER_NAME>

kubectl config use-context <CLUSTER_NAME>

Conclusion

--

--

--

PythonRubyLinux(❤)

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Clean Way to Work With JWT —

Fiji, ImageJ or Icy not working on M1 apple silicon mac? Here is the solution

How I replaced LVM with ZFS filesystem for my home NAS server

An Introduction to Google Tag Manager

Leopan Gamers NFT and Leopan Metaverse Game

Introducing Xfers Dash for Indonesia & Singapore businesses

Gitflow Workflow — 101

Scraping Currency Data from Yahoo Finance with Python and Beautiful Soup

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Emir Özbir

Emir Özbir

PythonRubyLinux(❤)

More from Medium

Pushing Helm Charts to GCS

Gitlab CI runner on Kubernetes cluster

My Favorite Learning Resources on Docker Container and Kubernetes

Secure Microservices Configuration Properties via HashiCorp Vault