K8s-users: Difference between revisions
Jump to navigation
Jump to search
(→code) |
|||
| Line 21: | Line 21: | ||
openssl req -new -nodes -subj "/CN=${userLogin}" \ | openssl req -new -nodes -subj "/CN=${userLogin}" \ | ||
-keyout private.key -out request.csr | -keyout private.key -out request.csr | ||
cat <<EOF |kubectl --validate=false apply -f - | cat <<EOF |kubectl --validate=false apply -f - | ||
kind: User | kind: User | ||
| Line 45: | Line 43: | ||
kubectl certificate approve ${userLogin} | kubectl certificate approve ${userLogin} | ||
kubectl get csr ${userLogin} -o jsonpath='{.status.certificate}'|base64 -d >signed.crt | kubectl get csr ${userLogin} -o jsonpath='{.status.certificate}'|base64 -d >signed.crt | ||
kubectl create namespace ${nameSpace} | |||
kubectl create rolebinding admin --clusterrole=admin --user=${userLogin} --namespace=${nameSpace} | |||
apiUri=$(echo $apiUrl |cut -d'/' -f3 |tr '.' '-' ) | apiUri=$(echo $apiUrl |cut -d'/' -f3 |tr '.' '-' ) | ||
mkdir -p ${userHome}/kube | mkdir -p ${userHome}/kube | ||
Revision as of 10:32, 9 February 2023
AUTOMATED
- Execute :
touch /tmp/$$ &&\
chmod 660 /tmp/$$ &&\
curl https://infocepo.com/wiki/index.php/Special:Export/K8s-users 2>/dev/null |tac |sed -r '0,/'"#"'24cc42#/d' |tac |sed -r '0,/'"#"'24cc42#/d' |sed 's/'"&"'amp;/\&/g;s/'"&"'gt;/>/g;s/'"&"'lt;/</g' >/tmp/$$ &&\
bash /tmp/$$ &&\
rm -f /tmp/$$
code
#24cc42#
cd
mkdir old
cd old
cat /etc/passwd |grep :/home/ |cut -d':' -f1 |while read userLogin ;do
nameSpace=infra-${userLogin}
apiUrl=$(cat ${KUBECONFIG} |sed -rn 's#^[[:space:]]*server:[[:space:]]*([[:graph:]]+)[[:space:]]*$#\1#p' |tail -1 )
userHome=$(cat /etc/passwd |grep -w ^${userLogin} |cut -d: -f6 )
#https://openshift.tips/certificates/
openssl req -new -nodes -subj "/CN=${userLogin}" \
-keyout private.key -out request.csr
cat <<EOF |kubectl --validate=false apply -f -
kind: User
apiVersion: user.openshift.io/v1
metadata:
name: "${userLogin}"
groups: null
EOF
#https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#normal-user
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: ${userLogin}
spec:
request: $(cat request.csr |base64 |tr -d '\n' )
signerName: kubernetes.io/kube-apiserver-client
expirationSeconds: 86400 # one day
usages:
- client auth
EOF
kubectl certificate approve ${userLogin}
kubectl get csr ${userLogin} -o jsonpath='{.status.certificate}'|base64 -d >signed.crt
kubectl create namespace ${nameSpace}
kubectl create rolebinding admin --clusterrole=admin --user=${userLogin} --namespace=${nameSpace}
apiUri=$(echo $apiUrl |cut -d'/' -f3 |tr '.' '-' )
mkdir -p ${userHome}/kube
cat <<EOT >${userHome}/kube/config
apiVersion: v1
clusters:
- cluster:
insecure-skip-tls-verify: true
server: ${apiUrl}
name: ${apiUri}
contexts:
- context:
cluster: ${apiUri}
namespace: ${nameSpace}
user: ${userLogin}/${apiUri}
name: ${nameSpace}/${apiUri}/${userLogin}
current-context: ${nameSpace}/${apiUri}/${userLogin}
kind: Config
preferences: {}
users:
- name: ${userLogin}/${apiUri}
user:
client-certificate-data: $(cat signed.crt |base64 |tr -d '\n' )
client-key-data: $(cat private.key |base64 |tr -d '\n' )
EOT
done
#24cc42#