K8s-users: Difference between revisions
Jump to navigation
Jump to search
(→code) |
(→code) |
||
| Line 26: | Line 26: | ||
userHome=$(cat /etc/passwd |grep ^${userLogin}: |cut -d: -f6 ) | userHome=$(cat /etc/passwd |grep ^${userLogin}: |cut -d: -f6 ) | ||
#https://openshift.tips/certificates/ | #https://openshift.tips/certificates/ | ||
rm -f | #rm -f ${userLogin}.key ${userLogin}.csr | ||
openssl req -new -nodes -subj "/CN=${userLogin}" \ | openssl req -new -nodes -subj "/CN=${userLogin}" \ | ||
-keyout | -keyout ${userLogin}.key -out ${userLogin}.csr | ||
#cat <<EOF |kubectl --validate=false apply -f - | #cat <<EOF |kubectl --validate=false apply -f - | ||
#kind: User | #kind: User | ||
| Line 43: | Line 43: | ||
name: ${userLogin} | name: ${userLogin} | ||
spec: | spec: | ||
request: $(cat | request: $(cat ${userLogin}.csr |base64 |tr -d '\n' ) | ||
signerName: kubernetes.io/kube-apiserver-client | signerName: kubernetes.io/kube-apiserver-client | ||
expirationSeconds: 86400 # one day | expirationSeconds: 86400 # one day | ||
| Line 50: | Line 50: | ||
EOF | EOF | ||
kubectl certificate approve ${userLogin} | kubectl certificate approve ${userLogin} | ||
kubectl get csr ${userLogin} -o jsonpath='{.status.certificate}'|base64 -d > | kubectl get csr ${userLogin} -o jsonpath='{.status.certificate}'|base64 -d >${userLogin}.crt | ||
kubectl create namespace ${nameSpace} | kubectl create namespace ${nameSpace} | ||
kubectl create rolebinding ${userLogin} --clusterrole=admin --user=${userLogin} --namespace=${nameSpace} | kubectl create rolebinding ${userLogin} --clusterrole=admin --user=${userLogin} --namespace=${nameSpace} | ||
| Line 74: | Line 74: | ||
- name: ${userLogin}/${apiUri} | - name: ${userLogin}/${apiUri} | ||
user: | user: | ||
client-certificate-data: $(cat | client-certificate-data: $(cat ${userLogin}.crt |base64 |tr -d '\n' ) | ||
client-key-data: $(cat | client-key-data: $(cat ${userLogin}.key |base64 |tr -d '\n' ) | ||
EOT | EOT | ||
chmod ug+rw,o="" -R ${userHome}/.kube | chmod ug+rw,o="" -R ${userHome}/.kube | ||
Revision as of 16:04, 9 February 2023
AUTOMATED
- Execute :
mkdir -p ~/old &&\
cd ~/old &&\
curl https://infocepo.com/wiki/index.php/Special:Export/K8s-users 2>/dev/null |tac |sed -r '0,/'"#"'24cc42#/d' |tac |sed -r '0,/'"#"'24cc42#/d' |sed 's/'"&"'amp;/\&/g;s/'"&"'gt;/>/g;s/'"&"'lt;/</g' >$$ &&\
bash $$ &&\
cd -
code
#24cc42#
cd
mkdir -p old
cd old
bashRc=$(find /etc -type f -name "*bashrc" |grep -vw /etc/skel/ )
sed -i '/kube/d' /home/*/.bashrc ${bashRc}
echo 'export KUBECONFIG=${HOME}/.kube/config' >>${bashRc}
if [ -z "${userList}" ] ;then
cat /etc/passwd |grep :/home/ |cut -d':' -f1
else
echo "${userList}"
fi |while read userLogin ;do
nameSpace=infra-${userLogin}
apiUrl=$(cat ${KUBECONFIG} |sed -rn 's#^[[:space:]]*server:[[:space:]]*([[:graph:]]+)[[:space:]]*$#\1#p' |tail -1 )
userHome=$(cat /etc/passwd |grep ^${userLogin}: |cut -d: -f6 )
#https://openshift.tips/certificates/
#rm -f ${userLogin}.key ${userLogin}.csr
openssl req -new -nodes -subj "/CN=${userLogin}" \
-keyout ${userLogin}.key -out ${userLogin}.csr
#cat <<EOF |kubectl --validate=false apply -f -
#kind: User
#apiVersion: user.openshift.io/v1
#metadata:
# name: "${userLogin}"
#groups: null
#EOF
#https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#normal-user
cat <<EOF |kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: ${userLogin}
spec:
request: $(cat ${userLogin}.csr |base64 |tr -d '\n' )
signerName: kubernetes.io/kube-apiserver-client
expirationSeconds: 86400 # one day
usages:
- client auth
EOF
kubectl certificate approve ${userLogin}
kubectl get csr ${userLogin} -o jsonpath='{.status.certificate}'|base64 -d >${userLogin}.crt
kubectl create namespace ${nameSpace}
kubectl create rolebinding ${userLogin} --clusterrole=admin --user=${userLogin} --namespace=${nameSpace}
apiUri=$(echo $apiUrl |cut -d'/' -f3 |tr '.' '-' )
mkdir -p ${userHome}/.kube
cat <<EOT >${userHome}/.kube/config
apiVersion: v1
clusters:
- cluster:
insecure-skip-tls-verify: true
server: ${apiUrl}
name: ${apiUri}
contexts:
- context:
cluster: ${apiUri}
namespace: ${nameSpace}
user: ${userLogin}/${apiUri}
name: ${nameSpace}/${apiUri}/${userLogin}
current-context: ${nameSpace}/${apiUri}/${userLogin}
kind: Config
preferences: {}
users:
- name: ${userLogin}/${apiUri}
user:
client-certificate-data: $(cat ${userLogin}.crt |base64 |tr -d '\n' )
client-key-data: $(cat ${userLogin}.key |base64 |tr -d '\n' )
EOT
chmod ug+rw,o="" -R ${userHome}/.kube
find ${userHome}/.kube -xdev -type d -exec chmod ug+x {} \;
chown ${userLogin}: -R ${userHome}/.kube
cp -aZ ${userHome}/.kube/config ${userHome}/.kubeconfig
done
#24cc42#