forked from wardviaene/kubernetes-course
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
42acc19
commit e738a0f
Showing
3 changed files
with
58 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| ## Retrieve keys from kops | ||
| ``` | ||
| aws s3 sync s3://kops-state-b429b/kubernetes.newtech.academy/pki/private/ca/ ca-key | ||
| aws s3 sync s3://kops-state-b429b/kubernetes.newtech.academy/pki/issued/ca/ ca-crt | ||
| mv ca-key/*.key ca.key | ||
| mv ca-crt/*.crt ca.crt | ||
| ``` | ||
| ## Create new user | ||
| ``` | ||
| sudo apt install openssl | ||
| openssl genrsa -out edward.pem 2048 | ||
| openssl req -new -key edward.pem -out edward-csr.pem -subj "/CN=edward/O=myteam/" | ||
| openssl x509 -req -in edward-csr.pem -CA ca.crt -CAkey ca.key -CAcreateserial -out edward.crt -days 10000 | ||
| ``` | ||
|
|
||
| ## add new context | ||
| ``` | ||
| kubectl config set-credentials edward --client-certificate=edward.crt --client-key=edward.pem | ||
| kubectl config set-context edward --cluster=kubernetes.newtech.academy --user edward | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: ClusterRoleBinding | ||
| metadata: | ||
| name: admin-user | ||
| roleRef: | ||
| apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: cluster-admin | ||
| subjects: | ||
| - kind: User | ||
| name: "edward" | ||
| apiGroup: rbac.authorization.k8s.io |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| kind: Role | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| namespace: default | ||
| name: pod-reader | ||
| rules: | ||
| - apiGroups: [""] | ||
| resources: ["pods"] | ||
| verbs: ["get", "watch", "list", "create", "update", "patch", "delete"] | ||
| - apiGroups: ["extensions", "apps"] | ||
| resources: ["deployments"] | ||
| verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] | ||
| --- | ||
| kind: RoleBinding | ||
| apiVersion: rbac.authorization.k8s.io/v1beta1 | ||
| metadata: | ||
| name: read-pods | ||
| namespace: default | ||
| subjects: | ||
| - kind: User | ||
| name: edward | ||
| apiGroup: rbac.authorization.k8s.io | ||
| roleRef: | ||
| kind: Role | ||
| name: pod-reader | ||
| apiGroup: rbac.authorization.k8s.io |