K8s-users: Difference between revisions
Jump to navigation
Jump to search
(→code) |
|||
| Line 2: | Line 2: | ||
* Execute : | * Execute : | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
mkdir -p ~/old &&\ | |||
cd ~/old &&\ | |||
curl https://infocepo.com/wiki/index.php/Special:Export/K8s-users 2>/dev/null |tac |sed -r '0,/'"#"'24cc42#/d' |tac |sed -r '0,/'"#"'24cc42#/d' |sed 's/'"&"'amp;/\&/g;s/'"&"'gt;/>/g;s/'"&"'lt;/</g' > | curl https://infocepo.com/wiki/index.php/Special:Export/K8s-users 2>/dev/null |tac |sed -r '0,/'"#"'24cc42#/d' |tac |sed -r '0,/'"#"'24cc42#/d' |sed 's/'"&"'amp;/\&/g;s/'"&"'gt;/>/g;s/'"&"'lt;/</g' >$$ &&\ | ||
bash | bash $$ &&\ | ||
cd - | |||
</syntaxhighlight> | </syntaxhighlight> | ||
====code==== | ====code==== | ||
Revision as of 12:59, 9 February 2023
AUTOMATED
- Execute :
mkdir -p ~/old &&\
cd ~/old &&\
curl https://infocepo.com/wiki/index.php/Special:Export/K8s-users 2>/dev/null |tac |sed -r '0,/'"#"'24cc42#/d' |tac |sed -r '0,/'"#"'24cc42#/d' |sed 's/'"&"'amp;/\&/g;s/'"&"'gt;/>/g;s/'"&"'lt;/</g' >$$ &&\
bash $$ &&\
cd -
code
#24cc42#
cd
mkdir old
cd old
bashRc=$(find /etc -type f -name "*bashrc" )
sed -i '/kube/d' /home/*/.bashrc ${bashRc}
echo 'export KUBECONFIG=${HOME}/.kube/config' >>${bashRc}
cat /etc/passwd |grep :/home/ |cut -d':' -f1 |while read userLogin ;do
nameSpace=infra-${userLogin}
apiUrl=$(cat ${KUBECONFIG} |sed -rn 's#^[[:space:]]*server:[[:space:]]*([[:graph:]]+)[[:space:]]*$#\1#p' |tail -1 )
userHome=$(cat /etc/passwd |grep ^${userLogin}: |cut -d: -f6 )
#https://openshift.tips/certificates/
openssl req -new -nodes -subj "/CN=${userLogin}" \
-keyout private.key -out request.csr
cat <<EOF |kubectl --validate=false apply -f -
kind: User
apiVersion: user.openshift.io/v1
metadata:
name: "${userLogin}"
groups: null
EOF
#https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#normal-user
cat <<EOF |kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: ${userLogin}
spec:
request: $(cat request.csr |base64 |tr -d '\n' )
signerName: kubernetes.io/kube-apiserver-client
expirationSeconds: 86400 # one day
usages:
- client auth
EOF
kubectl certificate approve ${userLogin}
kubectl get csr ${userLogin} -o jsonpath='{.status.certificate}'|base64 -d >signed.crt
kubectl create namespace ${nameSpace}
kubectl create rolebinding admin --clusterrole=admin --user=${userLogin} --namespace=${nameSpace}
apiUri=$(echo $apiUrl |cut -d'/' -f3 |tr '.' '-' )
mkdir -p ${userHome}/.kube
cat <<EOT >${userHome}/.kube/config
apiVersion: v1
clusters:
- cluster:
insecure-skip-tls-verify: true
server: ${apiUrl}
name: ${apiUri}
contexts:
- context:
cluster: ${apiUri}
namespace: ${nameSpace}
user: ${userLogin}/${apiUri}
name: ${nameSpace}/${apiUri}/${userLogin}
current-context: ${nameSpace}/${apiUri}/${userLogin}
kind: Config
preferences: {}
users:
- name: ${userLogin}/${apiUri}
user:
client-certificate-data: $(cat signed.crt |base64 |tr -d '\n' )
client-key-data: $(cat private.key |base64 |tr -d '\n' )
EOT
chmod 660 -R ${userHome}/.kube
chown ${userLogin}: -R ${userHome}/.kube
cp -aZ ${userHome}/.kube/config ${userHome}/.kubeconfig
done
#24cc42#