Kubernetes : Manage Access via Certificates

Google Cloud Based Kubernetes RBAC

Let’s gonna starts

kubectl create namespace qa-team
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: qa-team
name: qa-pod
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list", "create"]
subjects:
- kind: User
name: handsomeqateamlead@kloia.com
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pod-reader-binding
namespace: qa-pod
subjects:
- kind: User
name: handsomeqateamlead@kloia.com
roleRef:
kind: Role
name: qa-pod
apiGroup: rbac.authorization.k8s.io
gcloud container clusters get-credentials $CLUSTER_ID — zone $ZONE
-project $GCLOUD_PROJECT
$ kubectl get nsError from server (Forbidden): namespaces is forbidden: User "handsomeqateamlead@kloia.com" cannot list namespaces at the cluster scope: Required "container.namespaces.list" permission.$ kubectl get poError from server (Forbidden): pods is forbidden: User "handsomeqateamlead@kloia.com" cannot list pods in the namespace "default": Required "container.pods.list" permission.
$ kubectl get po -n qa-teamNAME        READY   STATUS    RESTARTS   AGE
selenium-0 1/1 Running 0 10d

What is Kops ?

  • Kops is a tool for automate kubernetes installation to the your cloud environment . Let’s gonna start .
  • Kops always hold the state in a S3 bucket, these bucket is containing certification, credentials .. etc for your kubernetes cluster .
  • Kops is a cli tool, not a managed kubernetes Paas serviced by your cloud providers . So that, you have responsible of your kubernetes cluster at platform and infrastrcuture level ( not hardware )
export KOPS_STATE_STORE=s3://delikanlilar-cluster
aws s3 cp s3://$KOPS_STATE_STORE/$CLUSTERNAME/pki/private/ca/$KEY 
ca.key
aws s3 cp s3://$KOPS_STATE_STORE/$CLUSTERNAME/pki/issued/ca/$CERT ca.crt
$ openssl genrsa -out user.key 4096$ openssl req -new -key qa.key -out qa.csr -subj '/CN=qa-user-1/O=qa'$ openssl x509 -req -in qa.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out qa.crt -days 365
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
namespace: qa-team
name: qa-team-pod-list
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get","list"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: qa-team-role-binding
subjects:
- kind: User
name: qa-user-1
roleRef:
kind: Role
name: qa-team-pod-list
apiGroup: rbac.authorization.k8s.io
kubectl config set-cluster <CLUSTER_NAME> --server=https://<URL>kubectl config set-cluster <CLUSTER_NAME> --certificate-authority=ca.crtkubectl config set-credentials viewer --client-key=user_viewer.key --client-certificate=qa.crt

kubectl config set-context <CLUSTER_NAME> --user=viewer --cluster <CLUSTER_NAME>

kubectl config use-context <CLUSTER_NAME>

Conclusion

Bonus

--

--

--

PythonRubyLinux(❤)

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Understanding Git and GitHub

The Benefits of Modern Continuous Delivery with Spinnaker and OpenShift

Scala 3: Well-designed Object-Oriented Type Hierarchies

Simulating Bird Flock Behavior in Python Using Boids

How the Internet works

Tips For Discussing Experience in Software Engineer Interviews

Project Risk Management: strategies and techniques

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Emir Özbir

Emir Özbir

PythonRubyLinux(❤)

More from Medium

Kubernetes Architecture Terminology in a 3 min read. Professional Friendly.

How to Convert Helm Chart to Kubernetes YAML

Get Started With Kubernetes!

A Tale of an Elastic Kubernetes Service Setup

A cluster of mushrooms growing.