Thursday, February 18, 2021

Kubernetes - Roles, API group, rolebindings, namespace scope, cluster scope - Day 19

 Kubernetes - 2/18/2021 - Day 19

Last week discusses about authentication, api binding


API Group
- Role, role binding ...

Role - Clusterrole

- Cluster scope
- Namespace scope


We can put everything inside namespace.
such as ..


Say you want two namespace
- Frontend NS (CPU, RAM)
  - a POD and inside POD
      - php
      - Web user
      - Deployment controller
      - everything needed..

- Backend NS (CPU, RAM)
  - PVC - persistance volume
    - PV
  - MySQL
     - DBuser
     - Database

Provide admin role (All power) -> rolebinding to user inside all backend or front end.

We manage resources inside namespace (scope)
- POD
- Deploy
- PVC
- SVC

Cluster resources - comes under cluster scope
- PV
- SC

most of the resources meant to manage inside namespace. and some inside cluster
- some resources are common,



We will create user
->
# cd /etc/kubernetes/pki
certificate baseed authentication


Create certificate
Generate private key
# openssl genrsa -out sadmin.key 1024

# opensshl req -new -key sadmin -out sadmin.csr -subj "/CN=sadmin/O=Storage

Sign with ca
# openssl x509 -req -in sadmin.cse -CA ca.crt -CAkey ca.key -CAcreteserial -out sadmin.crt -days 365

so weh ave sadmin.crt/csr/key

we have to transer these keys

sadmin is user

you already have admin info on this config file, so copy
# cp /root/,kube/config sadmin.kubeconfig

# vi sadmin.kubeconfig

you have ca.crt everything is set up properly..

you have certificate-authority-data...

this file, you are going to create user
make some some modify
change
users:
- name:sadmin

server: user public_IP_from aws
- context:
    cluster: kubernetes


now, we have all key file config on sadmin.kubeconfig and we can use this file to setup anything..

go to client-certificate-date

move your mount: press shiftkey + d to remove to end of the line...


now, add your cerficate info...
# cat sdamin.crt and paste there on sadmin.kubeconfig file
# cat sadmin.crt | base64
# cat sadmin.crt | base64 -w0    # makes output in single line.
copy entire data and paste under user: name

also copy proivate key
# cat sadmin.key | base64 -w0

copy this private this key content to kubeconfig file.
note: we have to have data on base64 format

This file is on your master node, now, what you can do is open this file and copy the content

Try this on master node to see if you get any error. Verify it..

# kc get pod --kubeconfig sadmin.kubeconfig sadmin.kubeconfig


or transer through scp or use copy method...


save the file as sadmin.kubeconfig on your Local PC.


> cd cka_ws
> get pods --kubeconfig sadmin.kubeconfig sadmin.kubeconfig

see if you get any error

if there is any syntax error, it will throw an erroor..

So, we have a info about a user on a single file - sadmin.kubeconfig



> kc get pods --kubeconfig sadmin.kubeconfig
forbidden
> kc get pods -n tech --kubeconfig sadmin.kubeconfig
forbidden
> kc get pv -n tech --kubeconfig sdamin.kubeconfig

you don't have power to use pv

along with error, it gives more info... says cluster scope

some resources that are not part of namespace come under cluster scope
you have to give power to user to have access to perform task on cluster scope

> kc --help
look for,
api-resources ...

> kc api-resources --kubeconfig sdamin.kubeconfig

There are lots of resources available..
resource name is pods (po)

you see shortnames, namespaced, and kind info..

you can give power based on role...

if you see namespaced: true -> its part of namespace
    if false -> its not part of namespace.



> kc get pv --kubeconfig sadmin.kubeconfig

@master node,,
get error,
pv belongs to cluster scope thats the error message says..

look for cluster role
# kc get clusterrole

create a role
# kc create -h

ther eis an option createcluster
# kc create clusterrole -h
what permission, verb you want to grant...

# kc create clusterrole --verb=get,list,watch,create --resource=pv
we created role
anyone who has this role, can get access..

List your roles
# kc get clusterrole

now, associate this role with user which is called rolebinding, since its with cluster, its called cluster role binding

# kc create -h
rolebinding..
# kc create clusterrolebinding myclusterrolebindingforstorage --clusterrole=mysadminrole --user=sadmin

now this user can do these verbs that we just added...

now, verify

> kc get pv --kubeconfig sadmin.kubeconfig
no resources found -> no errors..

you haven't specified any namespace
since pv is not on any namespace.
> kc get pods --kubeconfig sadmin.kubeconfig
they don't have access to other namesapce.
> kc get pods -n tech --kubeconfig sadmin.kubeconfig

> kc get nodes --kubeconfig sadmin.kubeconfig

# cd .kube
cat config
# kc get clusterrole cluster-admin
# kc describe clusterrole cluster-admin
# kc get clusterrolebinding | grep admin
# kc describe clusterrolebinding cluster-admin
check under subjects:
group -> master


open your config file..
you will see kubeconfig-admin
user has total control of your cluster...
if you make sdamin binding to this role, will have control to entire cluster.

# kc get cluster

# kc create clusterrolenoiigding myclusterroleroleadmin-sadmin --clusterrole=cluster-admin


Check under Resources ....

Now try running on your pC

> kc get pv --kubeconfi sadmin.kubeconfig
> kc get nodes --kubeconfi sadmin.kubeconfig
> kc get pods --kubeconfi sadmin.kubeconfig
This is not good to give this much power, be careful when you do this kind of role...

now, you can manage all the resources from your laptop..


get yaml and read the output...
save on a file and run to create rolebinding using the yaml


# kc get clusterrolebinding cluster-admin -o yaml
# kc get cllusterrolebinding cluster-admin -o yaml >rolebinding.yanl




No comments:

Post a Comment

Git branch show detached HEAD

  Git branch show detached HEAD 1. List your branch $ git branch * (HEAD detached at f219e03)   00 2. Run re-set hard $ git reset --hard 3. ...