Kubernetes - 2/18/2021 - Day 19
Last week discusses about authentication, api binding
API Group
- Role, role binding ...
Role - Clusterrole
- Cluster scope
- Namespace scope
We can put everything inside namespace.
such as ..
Say you want two namespace
- Frontend NS (CPU, RAM)
- a POD and inside POD
- php
- Web user
- Deployment controller
- everything needed..
- Backend NS (CPU, RAM)
- PVC - persistance volume
- PV
- MySQL
- DBuser
- Database
Provide admin role (All power) -> rolebinding to user inside all backend or front end.
We manage resources inside namespace (scope)
- POD
- Deploy
- PVC
- SVC
Cluster resources - comes under cluster scope
- PV
- SC
most of the resources meant to manage inside namespace. and some inside cluster
- some resources are common,
We will create user
->
# cd /etc/kubernetes/pki
certificate baseed authentication
Create certificate
Generate private key
# openssl genrsa -out sadmin.key 1024
# opensshl req -new -key sadmin -out sadmin.csr -subj "/CN=sadmin/O=Storage
Sign with ca
# openssl x509 -req -in sadmin.cse -CA ca.crt -CAkey ca.key -CAcreteserial -out sadmin.crt -days 365
so weh ave sadmin.crt/csr/key
we have to transer these keys
sadmin is user
you already have admin info on this config file, so copy
# cp /root/,kube/config sadmin.kubeconfig
# vi sadmin.kubeconfig
you have ca.crt everything is set up properly..
you have certificate-authority-data...
this file, you are going to create user
make some some modify
change
users:
- name:sadmin
server: user public_IP_from aws
- context:
cluster: kubernetes
now, we have all key file config on sadmin.kubeconfig and we can use this file to setup anything..
go to client-certificate-date
move your mount: press shiftkey + d to remove to end of the line...
now, add your cerficate info...
# cat sdamin.crt and paste there on sadmin.kubeconfig file
# cat sadmin.crt | base64
# cat sadmin.crt | base64 -w0 # makes output in single line.
copy entire data and paste under user: name
also copy proivate key
# cat sadmin.key | base64 -w0
copy this private this key content to kubeconfig file.
note: we have to have data on base64 format
This file is on your master node, now, what you can do is open this file and copy the content
Try this on master node to see if you get any error. Verify it..
# kc get pod --kubeconfig sadmin.kubeconfig sadmin.kubeconfig
or transer through scp or use copy method...
save the file as sadmin.kubeconfig on your Local PC.
> cd cka_ws
> get pods --kubeconfig sadmin.kubeconfig sadmin.kubeconfig
see if you get any error
if there is any syntax error, it will throw an erroor..
So, we have a info about a user on a single file - sadmin.kubeconfig
> kc get pods --kubeconfig sadmin.kubeconfig
forbidden
> kc get pods -n tech --kubeconfig sadmin.kubeconfig
forbidden
> kc get pv -n tech --kubeconfig sdamin.kubeconfig
you don't have power to use pv
along with error, it gives more info... says cluster scope
some resources that are not part of namespace come under cluster scope
you have to give power to user to have access to perform task on cluster scope
> kc --help
look for,
api-resources ...
> kc api-resources --kubeconfig sdamin.kubeconfig
There are lots of resources available..
resource name is pods (po)
you see shortnames, namespaced, and kind info..
you can give power based on role...
if you see namespaced: true -> its part of namespace
if false -> its not part of namespace.
> kc get pv --kubeconfig sadmin.kubeconfig
@master node,,
get error,
pv belongs to cluster scope thats the error message says..
look for cluster role
# kc get clusterrole
create a role
# kc create -h
ther eis an option createcluster
# kc create clusterrole -h
what permission, verb you want to grant...
# kc create clusterrole --verb=get,list,watch,create --resource=pv
we created role
anyone who has this role, can get access..
List your roles
# kc get clusterrole
now, associate this role with user which is called rolebinding, since its with cluster, its called cluster role binding
# kc create -h
rolebinding..
# kc create clusterrolebinding myclusterrolebindingforstorage --clusterrole=mysadminrole --user=sadmin
now this user can do these verbs that we just added...
now, verify
> kc get pv --kubeconfig sadmin.kubeconfig
no resources found -> no errors..
you haven't specified any namespace
since pv is not on any namespace.
> kc get pods --kubeconfig sadmin.kubeconfig
they don't have access to other namesapce.
> kc get pods -n tech --kubeconfig sadmin.kubeconfig
> kc get nodes --kubeconfig sadmin.kubeconfig
# cd .kube
cat config
# kc get clusterrole cluster-admin
# kc describe clusterrole cluster-admin
# kc get clusterrolebinding | grep admin
# kc describe clusterrolebinding cluster-admin
check under subjects:
group -> master
open your config file..
you will see kubeconfig-admin
user has total control of your cluster...
if you make sdamin binding to this role, will have control to entire cluster.
# kc get cluster
# kc create clusterrolenoiigding myclusterroleroleadmin-sadmin --clusterrole=cluster-admin
Check under Resources ....
Now try running on your pC
> kc get pv --kubeconfi sadmin.kubeconfig
> kc get nodes --kubeconfi sadmin.kubeconfig
> kc get pods --kubeconfi sadmin.kubeconfig
This is not good to give this much power, be careful when you do this kind of role...
now, you can manage all the resources from your laptop..
get yaml and read the output...
save on a file and run to create rolebinding using the yaml
# kc get clusterrolebinding cluster-admin -o yaml
# kc get cllusterrolebinding cluster-admin -o yaml >rolebinding.yanl
Thursday, February 18, 2021
Kubernetes - Roles, API group, rolebindings, namespace scope, cluster scope - Day 19
Subscribe to:
Post Comments (Atom)
Git branch show detached HEAD
Git branch show detached HEAD 1. List your branch $ git branch * (HEAD detached at f219e03) 00 2. Run re-set hard $ git reset --hard 3. ...
-
snmpconfig command allow you to managge snmpv1/v3 agent configuration on SAN switch. Event trap level is mapped with event severity level....
-
Firmware upgrade on HPE SuperDom Flex 280 - prerequisites tasks a. Set up repo b. Upload firmware to your webserver 1. For foundation so...
-
Disabling the Telnet protocol on Brocade SAN switches By default, telnet is enabled on Brocade SAN switches. As part of security hardening o...
No comments:
Post a Comment