You have created kubernetes cluster using Kops. By default, Kops provide access to full cluster using admin user. If you have access to AWS S3 bucket where kubernetes cluster state is stored then running this command will set the context and kube config to allow access to cluster where the user will have full admin access-
Obviously this is not the right way to give access into production cluster to your team members. We will see in this solution how you can assign access to each team member based on what they are allowed to do (authorized) in the cluster.
Assumption: As Kops creates a Bastion server to access Cluster nodes, so this article will be based on user created on Bastion server from where they will access kubernetes cluster.
- Create user on bastion server (linux)
2. This user will be allowed to view resources in cluster “kubectl get pods” but won’t be allowed to create resources like “kubectl create…”
3. Kops creates admin CA key and cert which are saved in S3 bucket. Get them from S3 bucket. Download them and rename to ca.crt and ca.key-
4. Using below commands, generate new CA for user raavi-
Here private key raavi.key is generated. Using this key, create certificate signing request (raavi.csr). Using this raavi.csr, create certificate (raavi.crt) for this user (raavi) using cluster authority (use the ca.crt and ca.key which were downloaded earlier). In the command /CN=<represents username> and /O=<represents the group to which the user is assigned>
5. Create a Role (pod-reader). This Role grants read access to pods in the default namespace.
6. Now create RoleBinding to bind Role (pod-reader) to user (raavi). You can create different Roles and bind with this user. User will be authenticated based on name in the certificate (/CN=).
7. Now send the following three files to user (raavi) and ask to run following commands to set his kubeconfig.
–>download the cert from s3 file bucket/cluster/pki/issued/master/XXXXXX.crt and rename it to ca_master.crt
Now user can run kubectl command to access resources in kubernetes cluster as per assigned ClusterRole to user.
You can change access in ClusterRole as required.