Scenario:
You have created kubernetes cluster using Kops. By default, Kops provide access to full cluster using admin user. If you have access to AWS S3 bucket where kubernetes cluster state is stored then running this command will set the context and kube config to allow access to cluster where the user will have full admin access-
kops export kubecfg --state s3://<BUCKET> --name=<CLUSTER_NAME>
Obviously this is not the right way to give access into production cluster to your team members. We will see in this solution how you can assign access to each team member based on what they are allowed to do (authorized) in the cluster.
Solution:
Assumption: As Kops creates a Bastion server to access Cluster nodes, so this article will be based on user created on Bastion server from where they will access kubernetes cluster.
Steps:
- Create user on bastion server (linux)
sudo adduser raavi
sudo su - raavi
2. This user will be allowed to view resources in cluster “kubectl get pods” but won’t be allowed to create resources like “kubectl create…”
3. Kops creates admin CA key and cert which are saved in S3 bucket. Get them from S3 bucket. Download them and rename to ca.crt and ca.key-
4. Using below commands, generate new CA for user raavi-
openssl genrsa -out raavi.key 4096 openssl req -new -key raavi.key -out raavi.csr -subj '/CN=raavi/O=developer' openssl x509 -req -in raavi.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out raavi.crt -days 900
Here private key raavi.key is generated. Using this key, create certificate signing request (raavi.csr). Using this raavi.csr, create certificate (raavi.crt) for this user (raavi) using cluster authority (use the ca.crt and ca.key which were downloaded earlier). In the command /CN=<represents username> and /O=<represents the group to which the user is assigned>
5. Create a Role (pod-reader). This Role grants read access to pods in the default namespace.
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: namespace: default name: pod-reader rules: - apiGroups: [""] # "" indicates the core API group resources: - pods verbs: - get - watch - list
6. Now create RoleBinding to bind Role (pod-reader) to user (raavi). You can create different Roles and bind with this user. User will be authenticated based on name in the certificate (/CN=).
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: namespace: default name: read-pods roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: pod-reader subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: raavi
7. Now send the following three files to user (raavi) and ask to run following commands to set his kubeconfig.
–> raavi.crt
–> raavi.key
–>download the cert from s3 file bucket/cluster/pki/issued/master/XXXXXX.crt and rename it to ca_master.crt
kubectl config set-cluster <CLUSTER_NAME> --server=https://<URL> [Note: URL is where kubernetes master is running, kubectl cluster-info will give the information] kubectl config set-cluster <CLUSTER_NAME> --certificate-authority=ca_master.crt kubectl config set-credentials raavi --client-key=raavi.key --client-certificate=raavi.crt kubectl config set-context <CLUSTER_NAME> --user=raavi --cluster <CLUSTER_NAME> kubectl config use-context <CLUSTER_NAME>
Now user can run kubectl command to access resources in kubernetes cluster as per assigned ClusterRole to user.
You can change access in ClusterRole as required.