Script that automatically creates a user in a local cluster and inserts the certificate in the kubeconfig:
#!/bin/bash
username="$1"
if [ -z "$username" ]; then
echo "Provide username"
exit 1
fi
mkdir -p "$username"
cd "$username"
openssl genrsa -out "${username}.pem"
openssl req -new -key "${username}.pem" -out "${username}.csr" -subj "/CN=${username}/O=devgroup"
CSR_64=$(cat "${username}.csr" | base64 -w 0)
cat <<EOF > csr.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: ${username}-user-request
spec:
groups:
- system:authenticated
request: $CSR_64
signerName: kubernetes.io/kube-apiserver-client
expirationSeconds: 31536000
usages:
- client auth
- digital signature
- key encipherment
EOF
kubectl apply -f csr.yaml
while ! kubectl get csr "${username}-user-request"; do
echo "Waiting for CSR to be created..."
done
kubectl certificate approve "${username}-user-request"
CERT_64=""
while [ -z "$CERT_64" ]; do
CERT_64=$(kubectl get csr "${username}-user-request" -o jsonpath='{.status.certificate}')
done
echo "$CERT_64" | base64 -d > "${username}.crt"
kubectl config set-context "$username" --cluster=minikube --user="$username"
kubectl config set-credentials "$username" --client-certificate="$(pwd)/${username}.crt" --client-key="$(pwd)/${username}.pem" --embed-certs=true
cd $OLDPWD
echo "DONE"Script that assigns ClusterRole/Role to the user in a namespace:
#!/bin/bash
#set -x
namespace=""
username=""
role=""
clusterrole=""
while [[ $#--gt-0-| -gt 0 ]]; do
case $1 in
--user|-u)
username="$2";
shift 2;
;;
--namespace|-n)
namespace="$2"
shift 2;
;;
--role|-r)
role="$2"
shift 2;
;;
--cluster-role|-cr)
clusterrole="$2"
shift 2;
;;
--help|-h|--*|-*)
echo "Script to assign roles/clusterroles to a user via RoleBinding"
echo "Usage: ./rbac.sh --user USER --namespace NAMESPACE [--role ROLE | --cluster-role CLUSTERROLE ]"
echo "Flags:"
printf "\t--namespace|-n\t\tskips the helm dependency update\n"
printf "\t--user|-u\t\tskips the infra-services namespace components and oracle database installation\n"
printf "\t--role|-r\t\tperforms dry run of private/public components (skips the infra-services & oracle db)\n"
printf "\t--cluster-role|-cr\tinclude monitoring components grafana, loki & prometheus (high resource usage)\n"
printf "\t--networkPolicies|-np\tinstall network policies\n"
exit;
;;
esac
done
if [[ -z "$username" || -z "$namespace" || -z "$role" && -z "$clusterrole" ]]; then
echo "Invalid input. Use --help flag for support"
exit 1
fi
if [[ -n "$role" && -n "$clusterrole" ]]; then
echo "You can only provide either role or clusterrole"
exit 1
fi
if [[ -n "$clusterrole" ]]; then
cat <<EOF > rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: "$username-$namespace-$clusterrole"
namespace: $namespace
subjects:
- kind: User
name: $username
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: $clusterrole
apiGroup: rbac.authorization.k8s.io
EOF
else
cat <<EOF > rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: "$username-$namespace-$role"
namespace: $namespace
subjects:
- kind: User
name: $username
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: $role
apiGroup: rbac.authorization.k8s.io
EOF
fi
kubectl apply -f rolebinding.yaml
rm rolebinding.yaml