K8s-users
Jump to navigation
Jump to search
AUTOMATED
- Define :
export usersList=
- Execute :
mkdir -p ~/old &&\
cd ~/old &&\
curl https://infocepo.com/wiki/index.php/Special:Export/K8s-users 2>/dev/null |tac |sed -r '0,/'"#"'24cc42#/d' |tac |sed -r '0,/'"#"'24cc42#/d' |sed 's/'"&"'amp;/\&/g;s/'"&"'gt;/>/g;s/'"&"'lt;/</g' >$$ &&\
bash $$ &&\
cd -
code
#24cc42#
cd
mkdir -p old
cd old
bashRc=$(find /etc -type f -name "*bashrc" |grep -vw /etc/skel/ )
sed -i '/kube/d' /home/*/.bashrc ${bashRc}
echo 'export KUBECONFIG=${HOME}/.kube/config' >>${bashRc}
if [ -z "${usersList}" ] ;then
cat /etc/passwd |grep :/home/ |cut -d':' -f1
else
echo "${usersList}"
fi |while read userLogin ;do
nameSpace=infra-${userLogin}
apiUrl=$(cat ${KUBECONFIG} |sed -rn 's#^[[:space:]]*server:[[:space:]]*([[:graph:]]+)[[:space:]]*$#\1#p' |tail -1 )
userHome=$(cat /etc/passwd |grep ^${userLogin}: |cut -d: -f6 )
#https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#normal-user
openssl req -new -nodes -subj "/CN=${userLogin}" \
-keyout ${userLogin}.key -out ${userLogin}.csr
kubectl delete csr ${userLogin}
cat <<EOF |kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: ${userLogin}
spec:
request: $(cat ${userLogin}.csr |base64 |tr -d '\n' )
signerName: kubernetes.io/kube-apiserver-client
expirationSeconds: 86400 # one day
usages:
- client auth
EOF
kubectl certificate approve ${userLogin} &&sleep 2 &&\
kubectl get csr ${userLogin} -o jsonpath='{.status.certificate}'|base64 -d >${userLogin}.crt
kubectl create namespace ${nameSpace}
kubectl create rolebinding ${userLogin} --clusterrole=admin --user=${userLogin} --namespace=${nameSpace}
#NAMESPACE NETWORK ISOLATION
cat <<EOF |kubectl -n ${nameSpace} apply -f -
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-same-namespace
spec:
podSelector:
matchLabels:
ingress:
- from:
- podSelector: {}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-ingress
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: ingress
podSelector: {}
policyTypes:
- Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-openshift-ingress
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
policy-group.network.openshift.io/ingress: ""
podSelector: {}
policyTypes:
- Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-openshift-monitoring
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
network.openshift.io/policy-group: monitoring
podSelector: {}
policyTypes:
- Ingress
EOF
#KUBECONFIG
apiUri=$(echo $apiUrl |cut -d'/' -f3 |tr '.' '-' )
mkdir -p ${userHome}/.kube
cat <<EOT >${userHome}/.kube/config
apiVersion: v1
clusters:
- cluster:
insecure-skip-tls-verify: true
server: ${apiUrl}
name: ${apiUri}
contexts:
- context:
cluster: ${apiUri}
namespace: ${nameSpace}
user: ${userLogin}/${apiUri}
name: ${nameSpace}/${apiUri}/${userLogin}
current-context: ${nameSpace}/${apiUri}/${userLogin}
kind: Config
preferences: {}
users:
- name: ${userLogin}/${apiUri}
user:
client-certificate-data: $(cat ${userLogin}.crt |base64 |tr -d '\n' )
client-key-data: $(cat ${userLogin}.key |base64 |tr -d '\n' )
EOT
chmod ug+rw,o="" -R ${userHome}/.kube
find ${userHome}/.kube -xdev -type d -exec chmod ug+x {} \;
chown ${userLogin}: -R ${userHome}/.kube
cp -aZ ${userHome}/.kube/config ${userHome}/.kubeconfig
done
#24cc42#