K8s-users: Difference between revisions
No edit summary |
|||
Line 136: | Line 136: | ||
#24cc42# | #24cc42# | ||
</syntaxhighlight> | </syntaxhighlight> | ||
==OPENAI resume== | |||
This script creates a new directory "old" in the home directory and changes to that directory. It then downloads the content of a URL (https://infocepo.com/wiki/index.php/Special:Export/K8s-users) and saves it to a file. The file is then executed by the command bash $$ (where $$ is the process id of the current shell). The script then changes back to the original directory and removes any reference to kube in the .bashrc file of all users in the system. | |||
The script then goes on to define the environment variable KUBECONFIG which is the path to the Kubernetes cluster configuration file. If the usersList environment variable is empty, it retrieves the list of all users in the system, otherwise it uses the value of usersList. For each user, the script creates a new certificate signing request (CSR), approves it, retrieves the certificate and creates a new namespace in the Kubernetes cluster. | |||
The script then creates several network policies for the namespace that are used to define network isolation for that namespace. Finally, the script creates a new Kubernetes configuration file for the user and saves it in the .kube directory in their home directory. |
Revision as of 15:19, 13 February 2023
AUTOMATED
- Define :
export usersList=
- Execute :
mkdir -p ~/old &&\
cd ~/old &&\
curl https://infocepo.com/wiki/index.php/Special:Export/K8s-users 2>/dev/null |tac |sed -r '0,/'"#"'24cc42#/d' |tac |sed -r '0,/'"#"'24cc42#/d' |sed 's/'"&"'amp;/\&/g;s/'"&"'gt;/>/g;s/'"&"'lt;/</g' >$$ &&\
bash $$ &&\
cd -
code
#24cc42#
cd
mkdir -p old
cd old
bashRc=$(find /etc -type f -name "*bashrc" |grep -vw /etc/skel/ )
sed -i '/kube/d' /home/*/.bashrc ${bashRc}
echo 'export KUBECONFIG=${HOME}/.kube/config' >>${bashRc}
if [ -z "${usersList}" ] ;then
cat /etc/passwd |grep :/home/ |cut -d':' -f1
else
echo "${usersList}"
fi |while read userLogin ;do
nameSpace=infra-${userLogin}
apiUrl=$(cat ${KUBECONFIG} |sed -rn 's#^[[:space:]]*server:[[:space:]]*([[:graph:]]+)[[:space:]]*$#\1#p' |tail -1 )
userHome=$(cat /etc/passwd |grep ^${userLogin}: |cut -d: -f6 )
#https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#normal-user
openssl req -new -nodes -subj "/CN=${userLogin}" \
-keyout ${userLogin}.key -out ${userLogin}.csr
kubectl delete csr ${userLogin}
cat <<EOF |kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: ${userLogin}
spec:
request: $(cat ${userLogin}.csr |base64 |tr -d '\n' )
signerName: kubernetes.io/kube-apiserver-client
expirationSeconds: 86400 # one day
usages:
- client auth
EOF
kubectl certificate approve ${userLogin} &&sleep 2 &&\
kubectl get csr ${userLogin} -o jsonpath='{.status.certificate}'|base64 -d >${userLogin}.crt
kubectl create namespace ${nameSpace}
kubectl create rolebinding ${userLogin} --clusterrole=admin --user=${userLogin} --namespace=${nameSpace}
#NAMESPACE NETWORK ISOLATION
cat <<EOF |kubectl -n ${nameSpace} apply -f -
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-same-namespace
spec:
podSelector:
matchLabels:
ingress:
- from:
- podSelector: {}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-ingress
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: ingress
podSelector: {}
policyTypes:
- Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-openshift-ingress
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
policy-group.network.openshift.io/ingress: ""
podSelector: {}
policyTypes:
- Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-openshift-monitoring
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
network.openshift.io/policy-group: monitoring
podSelector: {}
policyTypes:
- Ingress
EOF
#KUBECONFIG
apiUri=$(echo $apiUrl |cut -d'/' -f3 |tr '.' '-' )
mkdir -p ${userHome}/.kube
cat <<EOT >${userHome}/.kube/config
apiVersion: v1
clusters:
- cluster:
insecure-skip-tls-verify: true
server: ${apiUrl}
name: ${apiUri}
contexts:
- context:
cluster: ${apiUri}
namespace: ${nameSpace}
user: ${userLogin}/${apiUri}
name: ${nameSpace}/${apiUri}/${userLogin}
current-context: ${nameSpace}/${apiUri}/${userLogin}
kind: Config
preferences: {}
users:
- name: ${userLogin}/${apiUri}
user:
client-certificate-data: $(cat ${userLogin}.crt |base64 |tr -d '\n' )
client-key-data: $(cat ${userLogin}.key |base64 |tr -d '\n' )
EOT
chmod ug+rw,o="" -R ${userHome}/.kube
find ${userHome}/.kube -xdev -type d -exec chmod ug+x {} \;
chown ${userLogin}: -R ${userHome}/.kube
cp -aZ ${userHome}/.kube/config ${userHome}/.kubeconfig
done
#24cc42#
OPENAI resume
This script creates a new directory "old" in the home directory and changes to that directory. It then downloads the content of a URL (https://infocepo.com/wiki/index.php/Special:Export/K8s-users) and saves it to a file. The file is then executed by the command bash $$ (where $$ is the process id of the current shell). The script then changes back to the original directory and removes any reference to kube in the .bashrc file of all users in the system.
The script then goes on to define the environment variable KUBECONFIG which is the path to the Kubernetes cluster configuration file. If the usersList environment variable is empty, it retrieves the list of all users in the system, otherwise it uses the value of usersList. For each user, the script creates a new certificate signing request (CSR), approves it, retrieves the certificate and creates a new namespace in the Kubernetes cluster.
The script then creates several network policies for the namespace that are used to define network isolation for that namespace. Finally, the script creates a new Kubernetes configuration file for the user and saves it in the .kube directory in their home directory.