In most cases, you should limit permissions only to required. Now it’s time to create a new user for Kubernetes kubectl.
I’ll describe the classic way to create the certificate with OpenSSL. There is a way to use Kubernetes built-in certificate management. I’ll write about it someday.
openssl genrsa -out release-master_prod_key.pem 4096
openssl req -new -key release-master_prod_key.pem -out release-master_prod_csr.pem -subj '/CN=release-master@prod'
openssl x509 -req -in release-master_prod_csr.pem -CA /etc/kubernetes/ssl/ca.crt -CAkey /etc/kubernetes/ssl/ca.key -CAcreateserial -out release-master_prod_crt.pem -days 365
We’ve got our certificates now. Time to create a config for kubectl.
kubectl config set-cluster prod --server=https://kube.enterprise.net:6443 --certificate-authority=ca.crt --embed-certs=true --kubeconfig=release-master_prod.cfg
kubectl config set-credentials release-master_prod --client-certificate=release-master_prod_crt.pem --embed-certs=true --client-key=release-master_prod_key.pem --embed-certs=true --kubeconfig=release-master_prod.cfg
kubectl config set-context release-master_prod --cluster=prod --namespace=prod --user=release-master_prod --kubeconfig=release-master_prod.cfg
kubectl config --kubeconfig=release-master_prod.cfg use-context release-master_prod
Our release-master.yaml to assign permissions:
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: release-master
namespace: prod
rules:
- apiGroups:
- apps
resources:
- deployments
verbs:
- describe
- get
- list
- patch
- update
- watch
- apiGroups:
- extensions
resources:
- deployments
verbs:
- describe
- get
- list
- patch
- update
- watch
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: release-master
namespace: prod
subjects:
- kind: User
name: release-master@prod
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: release-master
apiGroup: rbac.authorization.k8s.io
Now we just need to apply it:
kubectl apply -f release-master.yaml