Give yourself full k8s Cluster Access with full Admin rights from your laptop.
There are three main categories of accesses in a k8s cluster:
- Admin access (full access for administrators)
- User access (limited access for other cluster users, usually limited to name space(s))
- Service account access (access allowing applications
Jenkinsto perform actions on the cluster)
Before you start you should know that there is a fully automated interractive script that will create the admin user for you. If you want to do that read the README.md in the admin-setup directory.
Prerequisites:
- In your master-node create a directory
client_certificates. - Create a CertificateSigningRequest.
openssl genrsa -out home-admin.key 2048 # Generates ssl key
openssl req -new -key home-admin.key -out home-admin.csr -subj "/CN=home-admin" # Generates a Create a CertificateSigningRequest/ CSR
# or
openssl req -new -key home-admin.key -out home-admin.csr -subj "/CN=home-admin/O=system:admin" # Generates a CertificateSigningRequest (CSR)- The additional part,
/O=system:admin, is anOrganization fieldthat is commonly used to indicate that thecertificateis for anadmin-level user.system:adminis aspecial valueused in Kubernetes to denote administrative access.
- In the directory
client_certificatespass the command.
treeoutput two files:
├── home-admin.crt
├── home-admin.csr- Create a script
csr-script.shand got to kubernetes CSR instructions and paste the CSR manifest in the script.
- Replace
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFwith your on which you need to generate from thehome-admin.csr.
cat | base64 home-admin.csr | tr -d "\n" #to generate "request: key in base64 format.
- Run the script and check.
kubectl get csr # the status of the certificate should be pending- Approve the CSR
kubectl certificate approve home-admin # now check again and the status should bee approved- Extract the certificate for
home-admin in text format decoded from base64.
kubectl get csr home-admin -o jsonpath='{.status.certificate}'| base64 -d > home-admin.crt- Now you should have the following files in the
client_certificates:
.
├── csr-script.sh
├── home-admin.crt
├── home-admin.csr
└── home-admin.key- Copy the existing certificate in
.kube/confto a separate location and rename tok8s-local.conf. - Open with a text editor and modify as follows.
- You will see three certificates:
certificate-authority-dataclient-certificate-dataclient-key-data
- Keep the
certificate-authority-dataunchanged!
- Under
server: https://192.x.x.xchange the following withhome-admin.
- Change -
client-certificate-dataandclient-key-databy deleting the certificates.
- Encode
├── home-admin.crt in format base64
├── home-admin.csr in format base64Replace client-certificate-dataand client-key-data with the newly generated ones.
cat | base64 home.crt | tr -d "\n"
cat | base64 home.key | tr -d "\n"
- Create the ClusterRole and ClusterRoleBinding manifest
crole-crbinding.yaml.
.
├── crole-crbinding.yaml
├── csr-script.sh
├── home-admin.crt
├── home-admin.csr
└── home-admin.key- Paste the content:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: home-admin
rules:
- apiGroups: [""]
resources: ["*"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: home-admin
subjects:
- kind: User
name: home-admin
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: home-admin
apiGroup: rbac.authorization.k8s.io- Check CR, CRB
kubectl get clusterrole
kubectl get clusterrolebinding- Move the new
k8s-local.conffile to your laptop~/.kube/k8s-local.conf. - In laptop
~/.bashrcpaste on the bottomexport KUBECONFIG=~/.kube/k8s-local.conf
- Setting the
KUBECONFIGenvironment variable is crucial forkubectlto know how to connect to the right Kubernetes cluster, user, and context. It allows you to easily switch between different Kubernetes configurations, making access management more flexible and efficient. - For multiple cluster access see documentation.
source ~/.bashrc- Make sure you have kubectl installed and run from your laptop.
kubectl get pods -A