K8s-users: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
(→code) |
||
| Line 17: | Line 17: | ||
sed -i '/kube/d' /home/*/.bashrc ${bashRc} | sed -i '/kube/d' /home/*/.bashrc ${bashRc} | ||
echo 'export KUBECONFIG=${HOME}/.kube/config' >>${bashRc} | echo 'export KUBECONFIG=${HOME}/.kube/config' >>${bashRc} | ||
if [ -z "${ | if [ -z "${usersList}" ] ;then | ||
cat /etc/passwd |grep :/home/ |cut -d':' -f1 | cat /etc/passwd |grep :/home/ |cut -d':' -f1 | ||
else | else | ||
echo "${ | echo "${usersList}" | ||
fi |while read userLogin ;do | fi |while read userLogin ;do | ||
nameSpace=infra-${userLogin} | nameSpace=infra-${userLogin} | ||
apiUrl=$(cat ${KUBECONFIG} |sed -rn 's#^[[:space:]]*server:[[:space:]]*([[:graph:]]+)[[:space:]]*$#\1#p' |tail -1 ) | apiUrl=$(cat ${KUBECONFIG} |sed -rn 's#^[[:space:]]*server:[[:space:]]*([[:graph:]]+)[[:space:]]*$#\1#p' |tail -1 ) | ||
userHome=$(cat /etc/passwd |grep ^${userLogin}: |cut -d: -f6 ) | userHome=$(cat /etc/passwd |grep ^${userLogin}: |cut -d: -f6 ) | ||
#https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#normal-user | #https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#normal-user | ||
kubectl delete csr ${userLogin} | kubectl delete csr ${userLogin} | ||
Revision as of 17:33, 9 February 2023
AUTOMATED
- Execute :
mkdir -p ~/old &&\
cd ~/old &&\
curl https://infocepo.com/wiki/index.php/Special:Export/K8s-users 2>/dev/null |tac |sed -r '0,/'"#"'24cc42#/d' |tac |sed -r '0,/'"#"'24cc42#/d' |sed 's/'"&"'amp;/\&/g;s/'"&"'gt;/>/g;s/'"&"'lt;/</g' >$$ &&\
bash $$ &&\
cd -
code
#24cc42#
cd
mkdir -p old
cd old
bashRc=$(find /etc -type f -name "*bashrc" |grep -vw /etc/skel/ )
sed -i '/kube/d' /home/*/.bashrc ${bashRc}
echo 'export KUBECONFIG=${HOME}/.kube/config' >>${bashRc}
if [ -z "${usersList}" ] ;then
cat /etc/passwd |grep :/home/ |cut -d':' -f1
else
echo "${usersList}"
fi |while read userLogin ;do
nameSpace=infra-${userLogin}
apiUrl=$(cat ${KUBECONFIG} |sed -rn 's#^[[:space:]]*server:[[:space:]]*([[:graph:]]+)[[:space:]]*$#\1#p' |tail -1 )
userHome=$(cat /etc/passwd |grep ^${userLogin}: |cut -d: -f6 )
#https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#normal-user
kubectl delete csr ${userLogin}
cat <<EOF |kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: ${userLogin}
spec:
request: $(cat ${userLogin}.csr |base64 |tr -d '\n' )
signerName: kubernetes.io/kube-apiserver-client
expirationSeconds: 86400 # one day
usages:
- client auth
EOF
kubectl certificate approve ${userLogin} &&sleep 2 &&\
kubectl get csr ${userLogin} -o jsonpath='{.status.certificate}'|base64 -d >${userLogin}.crt
kubectl create namespace ${nameSpace}
kubectl create rolebinding ${userLogin} --clusterrole=admin --user=${userLogin} --namespace=${nameSpace}
apiUri=$(echo $apiUrl |cut -d'/' -f3 |tr '.' '-' )
mkdir -p ${userHome}/.kube
cat <<EOT >${userHome}/.kube/config
apiVersion: v1
clusters:
- cluster:
insecure-skip-tls-verify: true
server: ${apiUrl}
name: ${apiUri}
contexts:
- context:
cluster: ${apiUri}
namespace: ${nameSpace}
user: ${userLogin}/${apiUri}
name: ${nameSpace}/${apiUri}/${userLogin}
current-context: ${nameSpace}/${apiUri}/${userLogin}
kind: Config
preferences: {}
users:
- name: ${userLogin}/${apiUri}
user:
client-certificate-data: $(cat ${userLogin}.crt |base64 |tr -d '\n' )
client-key-data: $(cat ${userLogin}.key |base64 |tr -d '\n' )
EOT
chmod ug+rw,o="" -R ${userHome}/.kube
find ${userHome}/.kube -xdev -type d -exec chmod ug+x {} \;
chown ${userLogin}: -R ${userHome}/.kube
cp -aZ ${userHome}/.kube/config ${userHome}/.kubeconfig
done
#24cc42#