K8s-users: Difference between revisions

From Essential
Jump to navigation Jump to search
No edit summary
 
(40 intermediate revisions by the same user not shown)
Line 1: Line 1:
===AUTOMATED===
===AUTOMATED===
* Define :
<syntaxhighlight lang="bash">
export usersList=
</syntaxhighlight>
* Execute :
* Execute :
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
touch /tmp/$$ &&\
mkdir -p ~/old &&\
chmod 770 /tmp/$$ &&\
cd ~/old &&\
curl https://infocepo.com/wiki/index.php/Special:Export/K8s-users 2>/dev/null |tac |sed -r '0,/'"#"'24cc42#/d' |tac |sed -r '0,/'"#"'24cc42#/d' |sed 's/'"&"'amp;/\&/g;s/'"&"'gt;/>/g;s/'"&"'lt;/</g' >/tmp/$$ &&\
curl https://infocepo.com/wiki/index.php/Special:Export/K8s-users 2>/dev/null |tac |sed -r '0,/'"#"'24cc42#/d' |tac |sed -r '0,/'"#"'24cc42#/d' |sed 's/'"&"'amp;/\&/g;s/'"&"'gt;/>/g;s/'"&"'lt;/</g' >$$ &&\
bash /tmp/$$ &&\
bash $$ &&\
rm -f /tmp/$$
cd - >/dev/null
</syntaxhighlight>
</syntaxhighlight>
====code====
====code====
Line 12: Line 16:
#24cc42#
#24cc42#
cd
cd
mkdir old
mkdir -p old
cd old
cd old
cat /etc/passwd |grep :/home/ |cut -d':' -f1 |while read userLogin ;do
#bashRc=$(find /etc -type f -name "*bashrc" |grep -vw /etc/skel/ |head -1 )
nameSpace=infra-${userLogin}
#sed -i '/kube/d' /home/*/.bashrc ${bashRc}
#echo 'export KUBECONFIG=${HOME}/.kube/config' >>${bashRc}
if [ -z "${usersList}" ] ;then
  cat /etc/passwd |grep :/home/ |cut -d':' -f1
else
  echo "${usersList}"
fi |while read userLogin ;do
grep 'export KUBECONFIG=${HOME}/.kube/config' /home/${userLogin}/.bashrc >/dev/null 2>&1 ||(echo 'export KUBECONFIG=${HOME}/.kube/config' >>/home/${userLogin}/.bashrc )
nameSpace=${userLogin}
apiUrl=$(cat ${KUBECONFIG} |sed -rn 's#^[[:space:]]*server:[[:space:]]*([[:graph:]]+)[[:space:]]*$#\1#p' |tail -1 )
apiUrl=$(cat ${KUBECONFIG} |sed -rn 's#^[[:space:]]*server:[[:space:]]*([[:graph:]]+)[[:space:]]*$#\1#p' |tail -1 )
userHome=$(cat /etc/passwd |grep -w ^${userLogin} |cut -d: -f6 )
userHome=$(cat /etc/passwd |grep ^${userLogin}: |cut -d: -f6 )
#https://openshift.tips/certificates/
#https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#normal-user
openssl req -new -nodes -subj "/CN=${userLogin}" \
openssl req -new -nodes -subj "/CN=${userLogin}" \
   -keyout private.key -out request.csr
   -keyout ${userLogin}.key -out ${userLogin}.csr
cat <<EOF |kubectl --validate=false apply -f -
kubectl delete csr ${userLogin} 2>/dev/null
kind: User
apiVersion: user.openshift.io/v1
metadata:
  name: "${userLogin}"
groups: null
EOF
#https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#normal-user
cat <<EOF |kubectl apply -f -
cat <<EOF |kubectl apply -f -
apiVersion: certificates.k8s.io/v1
apiVersion: certificates.k8s.io/v1
Line 35: Line 40:
   name: ${userLogin}
   name: ${userLogin}
spec:
spec:
   request: $(cat request.csr |base64 |tr -d '\n' )
   request: $(cat ${userLogin}.csr |base64 |tr -d '\n' )
   signerName: kubernetes.io/kube-apiserver-client
   signerName: kubernetes.io/kube-apiserver-client
   expirationSeconds: 86400  # one day
   expirationSeconds: 31536000 #86400  # one day
   usages:
   usages:
   - client auth
   - client auth
EOF
EOF
kubectl certificate approve ${userLogin}
kubectl certificate approve ${userLogin} &&sleep 2 &&\
kubectl get csr ${userLogin} -o jsonpath='{.status.certificate}'|base64 -d >signed.crt
kubectl get csr ${userLogin} -o jsonpath='{.status.certificate}'|base64 -d >${userLogin}.crt
kubectl create namespace ${nameSpace}
kubectl create namespace ${nameSpace} 2>/dev/null
kubectl create rolebinding admin --clusterrole=admin --user=${userLogin} --namespace=${nameSpace}
kubectl create rolebinding ${userLogin} --clusterrole=admin --user=${userLogin} --namespace=${nameSpace}
#NAMESPACE NETWORK ISOLATION
cat <<EOF |kubectl -n ${nameSpace} apply -f -
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-same-namespace
spec:
  podSelector:
    matchLabels:
  ingress:
  - from:
    - podSelector: {}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-ingress
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: ingress
  podSelector: {}
  policyTypes:
  - Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-observability
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: observability
  podSelector: {}
  policyTypes:
  - Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-openshift-ingress
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          policy-group.network.openshift.io/ingress: ""
  podSelector: {}
  policyTypes:
  - Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-openshift-monitoring
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          network.openshift.io/policy-group: monitoring
  podSelector: {}
  policyTypes:
  - Ingress
EOF
#KUBECONFIG
apiUri=$(echo $apiUrl |cut -d'/' -f3 |tr '.' '-' )
apiUri=$(echo $apiUrl |cut -d'/' -f3 |tr '.' '-' )
mkdir -p ${userHome}/kube
mkdir -p ${userHome}/.kube
cat <<EOT >${userHome}/kube/config
cat <<EOT >${userHome}/.kube/config
apiVersion: v1
apiVersion: v1
clusters:
clusters:
Line 66: Line 141:
- name: ${userLogin}/${apiUri}
- name: ${userLogin}/${apiUri}
   user:
   user:
     client-certificate-data: $(cat signed.crt |base64 |tr -d '\n' )
     client-certificate-data: $(cat ${userLogin}.crt |base64 |tr -d '\n' )
     client-key-data: $(cat private.key |base64 |tr -d '\n' )
     client-key-data: $(cat ${userLogin}.key |base64 |tr -d '\n' )
EOT
EOT
chmod 660 ${userHome}/kube/config
chmod ug+rw,o="" -R ${userHome}/.kube
chown ${userLogin}: ${userHome}/kube/config
find ${userHome}/.kube -xdev -type d -exec chmod ug+x {} \;
cp -aZ ${userHome}/kube/config ${userHome}/.kubeconfig
chown ${userLogin}: -R ${userHome}/.kube
cp -aZ ${userHome}/.kube/config ${userHome}/.kubeconfig
done
done
#24cc42#
#24cc42#
</syntaxhighlight>
</syntaxhighlight>
==OPENAI summary==
This script creates a new directory "old" in the home directory and changes to that directory. It then downloads the content of a URL (https://infocepo.com/wiki/index.php/Special:Export/K8s-users) and saves it to a file. The file is then executed by the command bash $$ (where $$ is the process id of the current shell). The script then changes back to the original directory and removes any reference to kube in the .bashrc file of all users in the system.
The script then goes on to define the environment variable KUBECONFIG which is the path to the Kubernetes cluster configuration file. If the usersList environment variable is empty, it retrieves the list of all users in the system, otherwise it uses the value of usersList. For each user, the script creates a new certificate signing request (CSR), approves it, retrieves the certificate and creates a new namespace in the Kubernetes cluster.
The script then creates several network policies for the namespace that are used to define network isolation for that namespace. Finally, the script creates a new Kubernetes configuration file for the user and saves it in the .kube directory in their home directory.

Latest revision as of 06:37, 24 April 2024

AUTOMATED

  • Define :
export usersList=
  • Execute :
mkdir -p ~/old &&\
cd ~/old &&\
curl https://infocepo.com/wiki/index.php/Special:Export/K8s-users 2>/dev/null |tac |sed -r '0,/'"#"'24cc42#/d' |tac |sed -r '0,/'"#"'24cc42#/d' |sed 's/'"&"'amp;/\&/g;s/'"&"'gt;/>/g;s/'"&"'lt;/</g' >$$ &&\
bash $$ &&\
cd - >/dev/null

code

#24cc42#
cd
mkdir -p old
cd old
#bashRc=$(find /etc -type f -name "*bashrc" |grep -vw /etc/skel/ |head -1 )
#sed -i '/kube/d' /home/*/.bashrc ${bashRc}
#echo 'export KUBECONFIG=${HOME}/.kube/config' >>${bashRc}
if [ -z "${usersList}" ] ;then
  cat /etc/passwd |grep :/home/ |cut -d':' -f1
else
  echo "${usersList}"
fi |while read userLogin ;do
grep 'export KUBECONFIG=${HOME}/.kube/config' /home/${userLogin}/.bashrc >/dev/null 2>&1 ||(echo 'export KUBECONFIG=${HOME}/.kube/config' >>/home/${userLogin}/.bashrc )
nameSpace=${userLogin}
apiUrl=$(cat ${KUBECONFIG} |sed -rn 's#^[[:space:]]*server:[[:space:]]*([[:graph:]]+)[[:space:]]*$#\1#p' |tail -1 )
userHome=$(cat /etc/passwd |grep ^${userLogin}: |cut -d: -f6 )
#https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#normal-user
openssl req -new -nodes -subj "/CN=${userLogin}" \
  -keyout ${userLogin}.key -out ${userLogin}.csr
kubectl delete csr ${userLogin} 2>/dev/null
cat <<EOF |kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: ${userLogin}
spec:
  request: $(cat ${userLogin}.csr |base64 |tr -d '\n' )
  signerName: kubernetes.io/kube-apiserver-client
  expirationSeconds: 31536000 #86400  # one day
  usages:
  - client auth
EOF
kubectl certificate approve ${userLogin} &&sleep 2 &&\
kubectl get csr ${userLogin} -o jsonpath='{.status.certificate}'|base64 -d >${userLogin}.crt
kubectl create namespace ${nameSpace} 2>/dev/null
kubectl create rolebinding ${userLogin} --clusterrole=admin --user=${userLogin} --namespace=${nameSpace}
#NAMESPACE NETWORK ISOLATION
cat <<EOF |kubectl -n ${nameSpace} apply -f -
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-same-namespace
spec:
  podSelector:
    matchLabels:
  ingress:
  - from:
    - podSelector: {}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-ingress
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: ingress
  podSelector: {}
  policyTypes:
  - Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-observability
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: observability
  podSelector: {}
  policyTypes:
  - Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-openshift-ingress
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          policy-group.network.openshift.io/ingress: ""
  podSelector: {}
  policyTypes:
  - Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-openshift-monitoring
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          network.openshift.io/policy-group: monitoring
  podSelector: {}
  policyTypes:
  - Ingress
EOF
#KUBECONFIG
apiUri=$(echo $apiUrl |cut -d'/' -f3 |tr '.' '-' )
mkdir -p ${userHome}/.kube
cat <<EOT >${userHome}/.kube/config
apiVersion: v1
clusters:
- cluster:
    insecure-skip-tls-verify: true
    server: ${apiUrl}
  name: ${apiUri}
contexts:
- context:
    cluster: ${apiUri}
    namespace: ${nameSpace}
    user: ${userLogin}/${apiUri}
  name: ${nameSpace}/${apiUri}/${userLogin}
current-context: ${nameSpace}/${apiUri}/${userLogin}
kind: Config
preferences: {}
users:
- name: ${userLogin}/${apiUri}
  user:
    client-certificate-data: $(cat ${userLogin}.crt |base64 |tr -d '\n' )
    client-key-data: $(cat ${userLogin}.key |base64 |tr -d '\n' )
EOT
chmod ug+rw,o="" -R ${userHome}/.kube
find ${userHome}/.kube -xdev -type d -exec chmod ug+x {} \;
chown ${userLogin}: -R ${userHome}/.kube
cp -aZ ${userHome}/.kube/config ${userHome}/.kubeconfig
done
#24cc42#

OPENAI summary

This script creates a new directory "old" in the home directory and changes to that directory. It then downloads the content of a URL (https://infocepo.com/wiki/index.php/Special:Export/K8s-users) and saves it to a file. The file is then executed by the command bash $$ (where $$ is the process id of the current shell). The script then changes back to the original directory and removes any reference to kube in the .bashrc file of all users in the system.

The script then goes on to define the environment variable KUBECONFIG which is the path to the Kubernetes cluster configuration file. If the usersList environment variable is empty, it retrieves the list of all users in the system, otherwise it uses the value of usersList. For each user, the script creates a new certificate signing request (CSR), approves it, retrieves the certificate and creates a new namespace in the Kubernetes cluster.

The script then creates several network policies for the namespace that are used to define network isolation for that namespace. Finally, the script creates a new Kubernetes configuration file for the user and saves it in the .kube directory in their home directory.