Kubernetes create ordinary users

Practice notes

​ To add an ordinary user to Kubernetes, there are currently two communication methods, one is external authentication, such as AD domain management, and the other is also commonly used in TLS and digital certificate communication scenarios. The latter is the basic security inside Kubernetes components. way of communication. The following operations use the latter to operate. In order to simplify the operation, the certificate and user creation configuration are scripted.

Practice

1. Preparation of the certificate signing request

$ cat bin/csr-gen.go 
package main 

import (
  "crypto/rand"
  "crypto/rsa"
  "crypto/x509"
  "crypto/x509/pkix"
  "encoding/asn1"
  "encoding/pem"
  "os"
)

func main() {
  name := os.Args[1]
  user := os.Args[2]

  key, err := rsa.GenerateKey(rand.Reader, 1024)
  if err != nil {
    panic(err)
  }

  keyDer := x509.MarshalPKCS1PrivateKey(key)
  keyBlock := pem.Block {
    Type: "RSA PRIVATE KEY",
    Bytes: keyDer,
  }
  keyFile, err := os.Create(name + "-key.pem")
  if err != nil {
    panic(err)
  }
  pem.Encode(keyFile, &keyBlock)
  keyFile.Close()

  //CN值，作为kubeconfig作为用户名使用，非常重要
  commonName := user
  emailAddress := "[email protected]"
  //用户组
  org := "kubernetes"
  orgUnit := "kubernetes"
  city := "GuangZhou"
  state := "WA"
  country := "CN"

  subject := pkix.Name {
    CommonName:          commonName,
    Country:             []string{country},
    Locality:            []string{city},
    Organization:        []string{org},
    OrganizationalUnit:  []string{orgUnit},
    Province:            []string{state},
  }
  asn1, err := asn1.Marshal(subject.ToRDNSequence())
  if err != nil {
     panic(err)
  }

  csr := x509.CertificateRequest{
     RawSubject:          asn1,
     EmailAddresses:      []string{emailAddress},
     SignatureAlgorithm:   x509.SHA256WithRSA,
  }

  bytes, err := x509.CreateCertificateRequest(rand.Reader, &csr, key)
  if err != nil {
     panic(err)
  }
  csrFile, err := os.Create(name + ".csr")
  if err != nil {
    panic(err)
  }

  pem.Encode(csrFile, &pem.Block{Type: "CERTIFICATE REQUEST", Bytes:bytes})
  csrFile.Close()
}
$ cat bin/k8s-gen-cert.sh 
#!/bin/bash

#向K8s发起证书申请请求名称
csr_name="my-client-usr"

#Kubeconfig 用户标识名称
name="${1:-lvzhiqiang}"

#证书申请文件
csr="${2}"

cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: ${csr_name}
spec:
  groups:
  - system:authenticated
  request: $(cat ${csr} | base64 | tr -d '\n')
  usages:
  - digital signature
  - key encipherment
  - client auth
EOF

echo
echo "Approving signing request."
kubectl certificate approve ${csr_name}

echo 
echo "Downloading certificate."
kubectl get csr ${csr_name} -o jsonpath='{.status.certificate}' \
  | base64 --decode > $(basename ${csr} .csr).crt

echo 
echo "Cleaning up"
kubectl delete csr ${csr_name}

echo 
echo "Add the following to the 'users' list in your kubeconfig file:"
echo "- name: ${name}"
echo "  user:"
echo "    client-certficate: ${PWD}/$(basename ${csr} .csr).crt"
echo "    client-key: ${PWD}/$(basename ${csr} .csr)-key.pem"
echo 
echo "Next you may want to add role-binding for this user."
$ kubectl delete csr my-client-usr
$ go version 
go version go1.15.7 linux/amd64
$ go run  bin/csr-gen.go client lvzhiqiang
$ sh bin/k8s-gen-cert.sh lvzhiqiang client.csr
certificatesigningrequest.certificates.k8s.io/my-client-usr created

#同意签署请求
Approving signing request.
certificatesigningrequest.certificates.k8s.io/my-client-usr approved
#下载CRT证书文件
Downloading certificate.

Cleaning up
certificatesigningrequest.certificates.k8s.io "my-client-usr" deleted

Add the following to the 'users' list in your kubeconfig file:
- name: lvzhiqiang
  user:
    #客户端证书文件和Key
    client-certficate: /root/create-k8s-user/client.crt
    client-key: /root/create-k8s-user/client-key.pem

Next you may want to add role-binding for this user.

2. Configure Kubeconfig and namespace

$ kubectl config set-credentials lvzhiqiang --client-key=/root/create-k8s-user/client-key.pem --client-certificate=/root/create-k8s-user/client.crt --embed-certs=true
$ kubectl config set-context lvzhiqiang --cluster=kubernetes --user=lvzhiqiang
$ ns="developer"
$ kubectl create namespace ${ns}
$ kubectl annotate namespace ${ns} annotation_key=annotation_value

3. Role binding

$ cat rolebinding.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: developer
  namespace: developer
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: edit
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: lvzhiqiang
$ kubectl apply  -f rolebinding.yaml

4. Testing

$ kubectl run demo-dev01 --image=nginx:latest -n developer
$ kubectl config use-context lvzhiqiang 
$ kubectl get pods -n developer #这里要指定命名空间，除非在kubeconfig配置的时候指定了默认命名空间
NAME         READY   STATUS    RESTARTS   AGE
demo-dev01   1/1     Running   0          21m

5. Supplement

Copy a copy of /root/.kube/config, then remove the configuration information about the administrator in the file, keep the ordinary user information just created, and then copy it to other development users.

Practical reference

1.https://kubernetes.io/zh/docs/reference/access-authn-authz/certificate-signing-requests/
2.https://kubernetes.io/zh/docs/reference/access-authn-authz/rbac/#user-facing-roles

3. "Kubernetes Actual Combat"